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Abstract 

We  present  an  authorization  logic  that  permits  reasoning  with  explicit  time.  Following  a  proof- 
theoretic  approach,  we  study  the  meta-theory  of  the  logic,  including  cut  elimination.  We  also 
demonstrate  formal  connections  to  proof-carrying  authorization’s  existing  approach  for  handling 
time  and  comment  on  the  enforceability  of  our  logic  in  the  same  framework.  Finally,  we  illustrate 
the  expressiveness  of  the  logic  through  examples,  including  those  with  complex  interactions  between 
time,  authorization,  and  mutable  state. 
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1  Introduction 


Most  secure  systems  restrict  operations  that  users,  machines,  and  other  principals  can  perform  on 
files  and  other  resources.  A  reference  monitor  authorizes  (or  denies)  requests  to  access  resources, 
in  consultation  with  a  set  of  rules  called  the  security  policy.  Time  is  central  to  most  policies.  A 
student,  for  instance,  may  be  allowed  to  access  course  related  material  only  during  the  specific 
semester  that  she  is  registered  for  the  class. 

In  practice,  security  policies  are  often  large  and  complicated,  necessitating  formal  mecha¬ 
nisms  for  both  their  enforcement  and  their  analysis.  Although  several  trust  management  frame¬ 
works  [8,  9,  24,  27-29,  32],  languages  [7, 14],  and  access  control  logics  [1,  2, 12, 18, 19,  25,  26]  have  been 
proposed  for  enforcing  and  sometimes  for  reasoning  about  access  control  policies,  these  proposals 
rarely  handle  time  explicitly,  either  omitting  it  altogether,  or  leaving  it  to  an  external  enforcement 
mechanism.  As  a  result,  policies  with  complex  time-dependent  relationships  cannot  be  expressed, 
and,  in  other  cases,  reasoning  accurately  about  time  is  extremely  difficult. 

The  purpose  of  this  report  is  to  bridge  this  gap  between  using  time  in  practice  and  reasoning 
about  it;  we  propose  an  authorization  logic  that  allows  explicit  mention  of  time,  making  it  easier 
to  reason  about  the  time-dependent  consequences  of  policies.  This  logic  combines  ideas  from  an 
existing  authorization  logic  [18, 19]  with  ideas  from  both  hybrid  logics  [11,  33]  and  constraint-based 
logics  [23,  34]  to  allow  formulas  of  the  form  A@I  where  A  is  a  proposition  and  I  is  the  time  interval 
on  which  it  holds.  Following  earlier  proposals,  we  make  the  logic  constructive  to  keep  evidence 
as  direct  as  possible.  We  also  include  linearity  to  model  consumable  authorizations;  their  use  is 
illustrated  in  our  examples.  We  call  the  logic  r/- logic  (pronounced  eta  logic  for  Explicitly  Timed 
Authorization  logic). 

?7~logic  is  strictly  more  expressive  than  existing  logics  for  access  control,  because  policies  with 
complex  time-dependent  relationships  can  be  expressed  in  it,  which  is  impossible  in  logics  proposed 
hitherto.  For  instance,  the  following  policy  can  be  expressed  in  ?]-logic:  “If  an  employee  requests  a 
parking  space  before  the  end  of  a  month,  she  will  be  given  a  parking  permit  valid  throughout  the 
next  month.”  It  is  difficult  to  imagine  how  such  a  policy  could  be  expressed  unless  time  is  allowed 
explicitly  in  formulas.  The  policies  described  in  section  4  illustrate  similar  complex  time-based 
relationships. 

Our  principal  interest  in  designing  ?]-logic  is  its  deployment  with  proof-carrying  authorization 
(PCA)  [3-5].  In  the  PCA  paradigm,  security  policies  are  formalized  in  a  logic,  and  each  access 
request  is  accompanied  by  a  formal  proof  establishing  that  authorization  for  the  request  follows 
logically  from  the  policies.  The  reference  monitor  verifies  the  correctness  of  the  proof,  and  allows 
or  denies  access  accordingly.  PCA  provides  a  flexible  mechanism  for  access  control  in  distributed 
systems.  In  existing  approaches  the  proof  presented  to  the  reference  monitor  establishes  that  the 
requester  is  allowed  to  access  the  resource  in  question,  leaving  the  validity  of  the  proof  at  the  time 
of  request  to  a  separate  enforcement  check.  With  77-logic,  the  proof  itself  can  be  refined  to  mention 
that  access  is  allowed  at  the  time  of  the  request.  We  make  a  formal  connection  between  the  two 
approaches  in  section  3.4. 

In  addition  to  its  applications  with  PCA,  we  expect  that  77-logic  can  be  used  in  specifying  the 
behavior  of  systems  with  time-dependent  authorization  policies.  In  such  cases,  the  logic  can  be  used 
to  formally  establish  correctness  properties  of  the  system,  as  in  [18].  The  first  example  in  section  4 
illustrates  this  approach.  Linearity  plays  a  crucial  role  in  this  setting,  facilitating  accurate  models 
of  mutable  state. 

In  the  spirit  of  Gentzen’s  pioneering  work  on  proof  theory  [20],  we  abstain  from  model-theoretic 
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semantics,  instead  presenting  77-logic  as  a  sequent  calculus.  This  brings  the  logic  closer  to  realization 
in  tools  like  theorem  provers  and  proof  verifiers,  and  facilitates  a  detailed  study  of  its  meta-theory, 
which  is  central  to  our  work.  We  establish  several  properties,  including  consistency  and  cut  elimi¬ 
nation,  which  increase  confidence  in  the  logic’s  foundations.  Cut  elimination  also  implies  that  the 
meanings  of  connectives  in  the  logic  are  independent  of  each  other.  This  makes  the  logic  open 
to  extension  with  new  connectives.  Establishing  these  properties  is  non-trivial,  involving  a  deep 
interplay  between  inference  rules  and  constraints. 

In  summary,  this  work  makes  several  contributions.  First,  it  introduces  explicit  time  into 
reasoning  about  authorization.  In  contrast  to  existing  approaches,  this  makes  it  possible  to  express 
and  reason  robustly  about  time-dependent  policies. 

Second,  it  formalizes  implementations  of  PCA  that  deal  with  time  in  an  extra-logical  manner 
and  rely  only  on  validity  intervals  of  embedded  digitally  signed  certificates.  We  further  show  that 
policy  enforcement  in  PCA  (at  least  for  a  fragment)  is  no  more  difficult  than  in  the  logics  that  have 
been  proposed  previously. 

Third,  our  system  integrates  explicit  time  and  linearity.  This  represents  a  non-trivial  challenge, 
because  both  time  intervals  and  single-use  assumptions  restrict  availability  of  hypotheses  during 
reasoning,  but  in  entirely  different  ways.  Our  meta-theorems,  specifically  the  cut  elimination  and 
identity  properties,  show  that  these  concepts  are  indeed  compatible,  at  least  in  a  constructive  set¬ 
ting.  The  key  is  a  novel  combination  of  ideas  from  hybrid  logic  with  constraints.  The  examples 
demonstrate  that  the  combination  allows  logical  expression  and  enforcement  of  a  wide  range  of 
practically  occurring  policies  which  were  previously  intractable. 

Related  Work.  Our  work  draws  upon  ideas  from  several  kinds  of  logics.  Most  closely  related 
are  works  on  constructive  authorization  logic  [18, 19],  from  which  we  borrow  linearity,  affirmation, 
and  our  style  of  presentation.  The  “says”  construct  in  our  logic  was  first  introduced  by  Abadi  et 
al.  [2,  25],  and  adopted  by  almost  all  subsequent  proposals. 

The  formalization  of  time  in  our  presentation  combines  ideas  from  both  hybrid  logics  [11,  33]  and 
constraint-based  logics  [23,  34] .  Such  a  combination  has  been  studied  to  a  limited  extent  in  Temporal 
Annotated  Constraint  Logic  Programming  (TACLP)  [17].  This  work,  done  in  the  context  of  logic 
programming  without  authorizations,  allows  interval  annotations  on  atomic  formulas,  similar  to  our 
A@  I  construct.  Besides  TACLP,  we  are  unaware  of  any  work  that  uses  hybrid  logic  for  modeling 
time. 

Linearity,  which  is  important  for  modeling  consumable  resources,  was  introduced  in  a  logic  by 
Girard  [21],  The  judgmental  form  of  linear  logic  was  first  studied  by  Chang  et  al.  [13].  The  use  of 
linearity  in  conjunction  with  authorization  was  first  proposed  by  two  of  the  present  authors  and 
others  [18].  Some  enforcement  mechanisms  in  the  distributed  setting  have  also  been  described  [10]. 

More  broadly,  this  work  relates  to  languages  and  logics  for  expressing  and  enforcing  access 
control  policies  [1,  2,  7-9, 12, 14, 18, 19,  24-29,  32],  With  the  exception  of  the  policy  language  Sec- 
PAL  [7],  we  are  not  aware  of  explicit  use  of  time  in  any  of  these  proposals.  SecPAL’s  enforcement 
of  time  is  external  to  the  language,  based  on  a  constraint  system  that  is  not  reasoned  about  within 
the  formal  semantics.  In  contrast,  our  logic  permits  direct  reasoning  with  validity  of  formulas.  It 
would  be  interesting  to  study  the  potential  formal  connections  between  the  two  approaches. 

The  principal  target  of  our  design  is  proof-carrying  authorization  (PCA)  [3-5].  In  existing  work 
on  PCA,  validity  of  certificates  plays  an  integral  part,  but  it  is  not  included  in  the  logic.  Rather, 
it  is  enforced  by  a  separate  check.  In  ?7~logic,  this  check  becomes  part  of  proof-verification. 
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An  alternate  approach  to  reasoning  about  time  is  based  on  temporal  logics  [15].  Here,  one 
reasons  about  events  relative  in  time  to  others.  Although  sometimes  useful  in  reasoning  about 
security  protocols,  the  approach  appears  to  be  ineffective  in  the  context  of  security  policies  and 
PCA,  which  rely  heavily  on  absolute  time. 

Another  related  line  of  work  is  interval  temporal  logic  [31],  where  one  reasons  about  sequences 
of  states  in  an  evolving  system.  Like  temporal  logic,  the  method  seems  inadequate  for  reasoning 
about  authorization  policies. 

Organization  of  the  Report.  In  section  2,  we  introduce  our  logic  and  its  proof  system,  and 
study  its  meta-theory.  Section  3  describes  77-logic’s  application  to  PCA.  Section  4  illustrates  the 
expressiveness  of  the  logic  by  showing  examples  that  contain  complex  time-dependent  relationships. 
Section  5  concludes  the  report. 

2  77-logic:  Authorization  with  Explicit  Time 

At  its  core,  77-logic  is  a  first-order  intuitionistic  logic.  It  integrates  several  other  constructs:  affir¬ 
mations,  linearity,  hybrid  worlds  representing  time,  and  constraints.  While  these  constructs  have 
been  studied  separately  in  the  past,  their  interaction  with  each  other  is  deep  and  non-trivial.  In 
particular,  the  hybrid  nature  of  ?7-logic  interacts  with  all  the  other  components,  making  it  impos¬ 
sible  to  construct  77-logic  as  an  extension  of  either  linear  logic  or  a  logic  of  affirmation  without 
changing  the  nature  of  the  underlying  judgments. 

Following  Per  Martin-Lof  [30],  we  use  a  judgmental  approach  in  describing  the  logic.  We 
separate  formulas  from  judgments,  making  the  latter  the  objects  of  reasoning.  In  the  interest  of 
readability,  we  describe  the  logic  in  several  steps.  We  begin  by  briefly  describing  the  structure 
of  first-order  terms  and  sorts.  Next,  we  describe  the  judgments  that  capture  time,  linearity,  and 
affirmation.  We  then  discuss  constraints,  and  finally  present  the  logic’s  connectives  and  proof  rules. 

2.1  First-order  Terms  and  Sorts 

We  assume  that  the  quantifiable  terms  can  be  typed  into  different  sorts  (denoted  by  the  meta¬ 
variable  s ).  We  stipulate  at  least  two  sorts:  a  sort  of  principals  (principal)  and  a  sort  of  intervals  of 
time  (interval).  If  t  is  a  term  and  £  assigns  sorts  to  all  constants  occurring  in  t,  we  write  £  h  t:s  to 
mean  that  the  term  t  has  sort  s.  We  write  [t/x]A  to  denote  the  formula  obtained  by  substituting 
the  term  t  for  all  free  occurrences  of  x  in  A. 

Principals,  denoted  by  the  letter  K,  represent  machines,  users,  or  programs  that  make  access  re¬ 
quests  or  issue  policies.  Concretely,  they  may  be  simple  bit  strings  that  represent  names,  identifiers, 
or  keys. 

Intervals,  denoted  by  the  letter  /,  represent  sets  of  time  points  over  which  formulas  are  true. 
Borrowing  terminology  from  hybrid  logic,  they  are  worlds  which  qualify  formulas.  We  do  not  fix 
structures  for  either  time  points  or  their  sets,  but  postulate  necessary  conditions  that  must  hold 
on  them.  These  are  described  in  section  2.3.  Intuitively,  one  may  think  of  time  points  as  points  on 
the  real  line,  and  sets  /  as  closed  intervals  on  the  real  line.  However,  it  should  be  noted  that  the 
term  interval  is  really  a  misnomer  here;  we  could  work  with  other  kinds  of  sets  as  well.  In  many 
natural  scenarios,  the  sets  are  intervals,  and  we  therefore  continue  to  use  this  nomenclature. 
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2.2  Judgments 

Ordinarily,  logic  is  concerned  with  the  truth  of  formulas  without  reference  to  time.  However,  in  ac¬ 
cess  control,  the  truth  of  formulas  changes  with  time.  For  instance,  if  the  formula 
may_enter(Alice,  Bob)  means  that  Alice  is  allowed  to  enter  Bob’s  office,  then  this  formula  may 
be  true  during  Bob’s  office  hours  and  untrue  at  other  times. 

Hence,  in  order  to  reason  accurately  about  time  in  access  control,  the  logic  should  reason  about 
truth  of  formulas  at  specific  times.  This  leads  us  to  the  basic  judgment  of  our  logic:  “formula  A  is 
true  at  all  time  points  in  the  set  I,”  written  A[/J. 

Following  prior  work  on  security  logics  [18],  we  would  like  to  go  a  step  further  by  adding 
linearity  to  the  logic  for  modeling  state  and  single- use  authorizations.  Accordingly,  we  add  a 
second  judgment:  “formula  A  is  true  exactly  once  in  the  set  written  A[I],  This  does  not  mean 
that  A  holds  at  exactly  one  time  point  in  I,  but  rather  that  the  authorization  implied  by  A  must 
be  used  at  one  time  point  in  the  interval. 

For  example,  may_enter(Alice,  Bob)[/]  means  that  Alice  may  enter  Bob’s  office  any  number  of 
times  during  interval  I ,  while  may_enter(Alice,  Bob)[/]  means  that  Alice  must  enter  Bob’s  office 
exactly  once  during  interval  I. 

Next,  in  order  to  allow  reasoning  from  assumptions,  a  feature  central  to  all  logics,  we  introduce 
a  hypothetical  judgment  (sequent).  It  takes  the  following  form: 

E,T;r;A  =►  A[J] 

E,  T,  r,  A  have  the  syntax  listed  below: 

E  ::=  •  |  E,  x:s 

T  ::=  •  |  T,7  D  T 

r  ::=  •  I  r,A[i| 

A  ::=  •)  A..1T 

E  assigns  sorts  to  all  first-order  parameters  occurring  in  the  remaining  sequent.  T  records  superset 
constraints  on  intervals  mentioned  in  the  formulas  in  the  sequent.  T  contains  assumptions  that 
are  true  on  specific  intervals,  and  A  represents  assumptions  that  are  true  exactly  once  on  specific 
intervals.  T  and  A  are  often  called  unrestricted  hypotheses  and  linear  hypotheses ,  respectively. 

The  meaning  of  the  entire  sequent  is:  “For  each  solution  to  the  constraints  T  in  the  variables 
E  we  can  prove  that  A  is  true  exactly  once  during  interval  /,  using  each  hypothesis  in  A  exactly 
once  and  each  hypothesis  in  T  zero  or  more  times.” 

The  judgment  A[I]  on  the  right  side  of  =>  is  often  called  the  consequent  of  the  sequent.  Se- 
quents  cannot  have  consequents  of  the  form  A[/J.  This  restriction  is  inherited  from  linear  logic  [13], 
but  does  not  limit  the  expressiveness  of  the  deductive  system. 

Affirmations.  In  order  to  model  security  policies  issued  by  distinct  principals,  we  need  to  reason 
about  statements  made  by  principals.  We  call  such  statements  affirmations.  Due  to  the  hybrid 
nature  of  the  logic,  we  have  to  associate  time  with  affirmations.  Accordingly,  we  introduce  a  new 
judgment:  “during  interval  /  it  is  true  that  principal  K  affirms  that  formula  A  is  true,”  written 
(K  affirms  A)  at  I. 

There  are  two  important  points  here.  First,  the  phrase  “/i  affirms  that  formula  A  is  true” 
is  broadly  construed:  K  may  not  directly  state  that  A  is  true;  instead,  A  may  follow  from  other 
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statements  that  K  has  made.  Second,  I  is  the  interval  over  which  the  affirmation  itself  is  true,  not 
K ’s  intention  of  the  interval  on  which  A  is  true.  If  required,  the  latter  may  be  encoded  within  A 
using  the  @  connective.  For  example,  suppose  that  Bob  creates  the  policy  “Alice  may  enter  Bob’s 
office  between  9  AM  and  5  PM”  and  that  this  policy  is  valid  from  2007  to  2008.  Then,  this  fact 
is  represented  by  the  judgment  (Bob  affirms  (may_enter(Alice,  Bob)  @  [9 AM,  5 PM]))  at  [2007, 2008]. 
Observe  that  here  the  interval  I  is  [2007,2008],  whereas  the  intended  validity  of  the  policy  that 
Bob  makes  is  [9 AM,  5PM]. 

Next,  we  add  a  new  form  of  sequent  to  reason  hypothetically  about  affirmations. 

X,  T;  T;  A  =>  ( K  affirms  A)  at  I 

The  meaning  of  this  sequent  is:  “For  each  solution  to  the  constraints  T  in  the  variables  X  we  can 
prove  that  K  affirms  A  exactly  once  during  interval  I,  using  each  hypothesis  in  A  exactly  once  and 
each  hypothesis  in  T  zero  or  more  times.” 

2.3  Constraints 

Superset  constraints  of  the  form  I  A  I'  are  an  integral  part  of  //-logic.  Formally,  they  are  incorpo¬ 
rated  in  the  proof  system  using  the  following  judgment: 

X;$|=/D/' 

This  judgment  means  that  the  constraints  in  T  entail  that  I  is  a  superset  of  I' ,  parametrically 
in  the  constants  mentioned  in  X.  We  do  not  fix  the  exact  rules  governing  this  judgment  because 
we  do  not  stipulate  a  concrete  structure  for  intervals.  We  expect  that,  in  practice,  this  judgment 
would  be  implemented  using  a  constraint  solving  procedure.  The  details  of  such  a  procedure  would, 
of  course,  depend  on  the  representation  chosen  for  intervals.  However,  to  obtain  meta-theoretic 
results  about  the  logic  (section  2.5),  we  require  the  following  properties.  Here,  C  denotes  arbitrary 
superset  constraints. 

1.  (Hypothesis)  X;  \P,  C  |=  C. 

2.  (Weakening)  If  X;  'F  [=  C,  then  X,  X';  <P,  T'  |=  C. 

3.  (Cut)  If  X;  T  |=  C  and  X;  T,  C  ]=  C' ,  then  X;  T  |=  C' . 

4.  (Substitution)  If  X  h  t:s  and  X,x:s;  T  |=  C,  then  X;  [t / x] T  |=  [t/x\C . 

5.  (Reflexivity)  X;  \P  |=  I  D  I. 

6.  (Transitivity)  If  X;  'P  |=  I  D  T  and  X;  >P  |=  T  D  I",  then  X;  <P  [ =ID  I". 

In  the  case  where  intervals  are  represented  by  closed  intervals  on  the  real  line,  such  a  constraint 
solver  can  be  constructed  in  a  straightforward  manner. 

2.4  Formulas  and  Proof  Rules 

Having  described  the  basic  judgments  and  constraints  in  //-logic,  we  now  turn  to  the  connectives 
allowed  in  formulas  and  the  proof  rules  for  sequents.  We  allow  all  connectives  of  intuitionistic  linear 
logic,  although,  for  the  sake  of  brevity,  we  limit  our  discussion  here  to  only  a  subset.  (Rules  for  the 
remaining  connectives  can  be  found  in  Appendix  A.)  In  addition,  we  introduce  a  new  connective 
A@  I  to  internalize  the  judgment  A[I]  as  a  formula,  include  the  connective  ( K)A  (read  llK  says 
A”)  [18, 19]  to  internalize  the  affirmation  judgment,  and  add  the  connective  I  A  I'  to  represent 
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superset  constraints  as  formulas.  Although  we  use  the  same  notation  I  D  I'  for  denoting  both 
formulas  and  constraints,  this  should  not  cause  confusion  since  the  intended  meaning  should  be 
clear  from  the  context. 

The  syntax  of  formulas  is  shown  below.  P  denotes  atomic  formulas. 

A,  B  ::=  P  \  A®  B  \  Ad  B  \  A^>  B  \\/x:s.A  \  A@  I  \  (K)A  \  I  D  I' 

A®B  means  that  A  and  B  are  true  simultaneously.  We  have  two  forms  of  implication:  unrestricted 
(Ad  B)  and  linear  (A—°B).  They  differ  in  that  the  pre-condition  Am.  Ad  B  can  be  satisfied  only 
if  A  can  be  established  without  the  use  of  linear  hypotheses,  while  there  is  no  such  restriction  on 
the  pre-condition  of  A—oB.  Conversely,  to  prove  Ad  B  we  may  use  A  arbitrarily  many  times  to 
prove  B,  while  A  must  be  used  exactly  once  in  a  proof  of  B  to  establish  A—oB. 

The  proof  rules  for  the  sequent  calculus  are  summarized  in  Figure  1.  7  denotes  an  arbitrary 
consequent,  either  A[I]  or  (K  affirms  A)  at  I.  The  meanings  of  connectives  in  //-logic  are  described 
entirely  by  these  proof  rules,  without  any  additional  semantics.  This  ensures  that  the  intended 
reading  of  formulas  coincides  with  the  available  formal  proofs,  which  is  desirable  for  PCA. 

The  in  it  and  copy  rules  capture  the  nature  of  linear  and  unrestricted  hypotheses.  If  we  assume 
that  formula  A  is  true  once  during  interval  I,  and  if  I  D  then  we  should  certainly  be  able  to 
conclude  that  A  may  be  true  once  during  the  interval  V .  For  atomic  formulas,  this  is  captured  by 
the  in  it  rule;  for  others,  we  prove  it  as  a  theorem  (Theorem  2).  The  in  it  rule  also  highlights  the 
interaction  between  linearity,  time,  and  constraints:  its  premise  contains  a  constraint,  and  the  fact 
that  no  other  linear  hypothesis  besides  P[I]  is  allowed  to  occur  captures  linearity.  The  copy  rule 
permits  copying  of  an  unrestricted  hypothesis  A[7]  into  the  set  of  linear  hypotheses.  This  may  be 
repeated,  thus  allowing  the  unrestricted  hypothesis  to  be  used  multiple  times. 

The  remaining  rules  (with  the  exception  of  affirms)  are  related  to  the  logic’s  connectives.  Each 
rule  is  classified  as  either  right  or  left,  depending  on  whether  it  acts  on  the  right  side  or  the  left 
side  of  =>•.  We  start  with  the  new  connective:  A@  P 

A@I  captures  the  essence  of  the  judgment  A[I]  as  a  formula.  This  permits  us  to  associate  time 
intervals  with  formulas  nested  inside  other  formulas.  The  right  rule  @R  means  that  A[I]  entails 
A@I[I'].  The  left  rule  @L  states  that  the  assumption  A@I[I']  is  stronger  than  the  assumption  A[I\. 
Together  they  imply  that,  as  judgments,  A[I]  and  A@7[7']  entail  each  other.  This  is  intuitive:  if  a 
formula  A  is  true  during  interval  7,  then  this  fact  is  true  over  all  intervals  V .  Or  equivalently,  once 
the  truth  of  a  formula  has  been  qualified  by  an  interval,  a  subsequent  qualification  is  meaningless. 

By  its  nature,  interval  containment  is  independent  of  time.  Thus,  we  should  be  allowed  to 
establish  the  judgment  I  D  I' [I"]  whenever  the  constraint  I  D  /'  holds.  This  is  captured  by  the 
right  rule,  DR.  Dually,  if  we  assume  the  judgment  I  D  I' [I"],  then  we  should  also  be  justified  in 
assuming  that  the  constraint  I  A  I'  holds.  This  is  captured  by  the  left  rule,  DL. 

Next,  we  examine  affirmation.  The  affirms  rule  relates  affirmation  to  truth.  It  states  that  if  it 
is  provable  that  formula  A  is  true  during  interval  7,  then  it  is  provable  that  every  principal  affirms 
its  truth  during  interval  7.  This  is  based  on  the  idea  that  a  proof  is  irrefutable  evidence;  if  A  has 
a  proof,  then  every  principal  must  be  willing  to  affirm  A. 

The  connective  (. K)A  (read  “77  says  A”)  internalizes  affirmation  as  a  formula.  Its  right  rule 
()R  means  that  the  judgment  ([K)A)[I]  holds  whenever  (K  affirms  A)  at  7  holds.  The  left  rule  ()L 
means  that  if  we  are  trying  to  establish  that  I\  affirms  B  during  I',  and  we  know  both  K  says  A 
during  7  and  I  D  then  we  are  justified  in  assuming  that  A  is  true  during  7.  This  rule  captures 
the  idea  that  principals  are  accountable  for  their  statements;  having  stated  A,  K  cannot  refute  it, 


6 


Basic  Rules 


E;  f=  7  A  I'  ( P  atomic) 
S;^;r;P[7]  =7  P[I'}  mit 


E;d/;r,A[7];A,A[7]  7 

E;tf;r,A[i];A=77 


copy 


A  @  7 


S;vp;r;A^A[7] 


E;  *P;  T;  A  =7  A  @  7[7'] 


77  @7? 


E;vP;r;A,A[7]  =7  7 
S; 'P;  T;  A,  A  @  7[7']  =7  7 


@L 


7D7' 


E;  ®  |=  7  A  7' 

E;  ^;T;  •  =7  7  A  7' [7" 


AT? 


S;fr,7D7/;r;A=*7 
E;vP;r;A,7A7'[7"]  =^7 


AL 


Affirmation  and  ( K)A 


S;  T;  A  =7  A[I] 


E;  *P;  T;  A  =7  ( K  affirms  A)  at  7 


affirms 


E;  \P;  T;  A  =7  ( K  affirms  A)  at  7 

E; T;  A  =7  (K)A[I] 


()R 


E;  P;  T;  A,  A[I\  =7  (. K  affirms  B)  at  I'  E;  P  |=  7  A  I' 
E;  W;  rj  A,  (K)A[I\  =7  (K  affirms  B)  at  I' 


0  L 


Other  Connectives 


E;  'h;  T;  Ax  =7  A[I]  E;  P;  T;  A2  =7  R[7] 


(8)7? 


E;  P;  T;  A,  A  [7],  7?  [7]  =7  7 


E;tf;r;Ai,A2  =7  A®B[I]  E;  P;  T;  A,  A  8  T>[7]  =7*  7 

E,  ^interval;  P,  7  A  *;  T;  A,  A[i]  =7  B[i]  ^ 

E;  P;  T;  A  =7  A  — o  T>[7]  “° R 

Ej^TjAx  =7A[7']  E;f  |=7D7'  E;  P;  T;  A2,  T>[/']  =7  7 


(87/ 


E;^;r;Ax,A2,A^T?[7]  ^7 
E,  ^interval;  f  ,7  D  f;  T,  A[i];  A  =7  B[i] 


oL 


AT? 


E;$;r;A^AA5[7] 

E;  P;  T;  ■  =7  A[I']  E;  P  |=  7  A  7'  E;  P;  T;  A,  5 [7']  =7  7 
E;  P;  T;  A,  A  A  T?[7]  =7  7 


al 


E,  a:s;  P;  T;  A  =7  [a/x]A[7] 
E;  P;  T;  A  =7-  Mx\s.A[I] 


V7? 


E;  P;  T;  A,  [t/x]A[7]  =7  7  E  \~  t:s 
E;  P;  T;  A,  Vx:s.A[7]  =77 


VL 


Figure  1:  Sequent  calculus  for  //-logic 
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and  hence,  while  reasoning  about  another  affirmation  by  K,  we  can  assume  A.  It  is  instructive  to 
observe  the  interaction  between  time  and  affirmation  in  this  rule. 

Finally,  we  describe  the  rules  for  connectives  borrowed  from  linear  logic:  <8>,  — D,  and  V. 
Although  these  rules  may  appear  similar  to  corresponding  rules  in  linear  logic  (without  time),  the 
meanings  of  the  connectives  must  be  reinterpreted  because  truth  is  always  qualified  with  time  in 
77-logic.  The  presence  of  time  opens  the  possibility  of  choosing  from  many  different  kinds  of  rules, 
with  each  choice  resulting  in  a  different  interaction  between  the  connectives  and  @.  For  instance, 
our  rules  imply  that  @  distributes  over  <S>  —  that  (A  <S>  B)  @  I  is  equivalent  to  (A@  I)  ®  (B  @  I). 
However,  this  choice  is  not  forced,  and  one  may  conceive  logics  that  do  not  validate  this  equivalence. 
The  proof  rules  shown  here  describe  what  we  believe  to  be  an  elegant,  useful,  and  simple  possibility. 

The  right  rule  ®R  states  that  in  order  to  show  that  A®  B  is  true  on  I,  it  suffices  to  partition 
the  linear  hypotheses  disjointly  into  two  parts,  using  one  part  to  establish  that  A  holds  on  I  and 
the  other  to  show  that  B  holds  on  I.  The  left  rule  ®L  is  dual,  stating  that  the  assumption  A®  B 
on  interval  /  is  stronger  than  the  pair  of  assumptions  A,  B,  both  on  the  interval  I.  Together  with 
the  rules  for  @,  these  rules  imply  the  equivalence  mentioned  earlier. 

The  right  rule  —°R  means  that  in  order  to  establish  that  A—oB  holds  on  interval  I,  it  suffices 
to  show  that  for  every  interval  i  such  that  IDj,  B[i\  follows  from  the  linear  hypothesis  A[i\.  The 
left  rule  —°L  is  dual,  stating  that  if  A  B  is  assumed  to  hold  on  I  and  A  holds  on  any  smaller 
interval  I',  then  B  holds  on  I'.  Together  these  mean  that  {A  — o  B)  @  I  represents  a  method  of 
obtaining  B  from  A  on  any  subset  of  I. 

The  rule  DR  is  similar  to  —°R,  except  that  in  this  case  A  is  assumed  to  be  unrestricted. 
Correspondingly,  in  the  left  rule  ®L,  one  must  establish  A  without  any  linear  hypotheses. 

We  can  establish  the  formula  'ix'.s.A  if  we  can  establish  \a/x\A  for  every  fresh  constant  a  of  sort 
s.  This  is  captured  by  the  right  rule  MR.  The  left  rule  VL  states  that  if  we  assume  Vaxs.A,  then  we 
can  also  assume  [t / x]  A  for  any  term  t  of  sort  s. 

This  completes  our  presentation  of  the  proof  rules  of  the  sequent  calculus.  We  now  turn  to  the 
meta-theory  of  //-logic. 

2.5  Meta-theory 

Meta-theoretic  properties  are  important  for  a  logic  of  authorization  because  they  not  only  provide 
assurance  of  a  strong  foundation  for  the  logic,  but  are  also  useful  in  analysis  of  policies.  Cut 
elimination,  for  example,  implies  that  all  proofs  can  be  normalized,  i.e.,  reduced  to  a  canonical 
form.  This  canonical  form  often  provides  far  more  insight  into  the  reasons  why  access  was  granted 
as  compared  to  the  original  proof. 

In  our  logic,  meta-theoretic  properties  are  important  from  yet  another  perspective.  Since  con¬ 
nectives  are  described  entirely  by  the  rules  of  the  sequent  calculus,  it  is  absolutely  essential  that 
the  basic  meaning  of  hypothetical  judgments  (sequents)  be  respected  by  the  rules.  Formally,  this  is 
expressed  by  two  properties:  admissibility  of  cut  and  identity.  Admissibility  of  cut  states  that  if  a 
judgment  such  as  A[I\  can  be  established,  and  assuming  this  judgment,  we  can  establish  a  second 
judgment,  then  the  second  judgment  can  be  established  directly.  Identity  states  that  whenever  we 
assume  a  judgment,  we  can  conclude  it.  We  prove  both  properties  for  our  logic.  To  establish  the 
admissibility  of  cut,  it  must  be  stated  in  a  more  general  form. 

Theorem  1  (Admissibility  of  Cut). 

1.  If  E;  T;  T;  A  =>  A[I\  and  E;  T;  F;  A',  A[I\  =^>  7,  then  E;  T;  T;  A',  A 
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2.  If  S;  T;  •  =►  A[I]  and  E;  T,  A[I];  A'  =►  7,  f/ien  E;  HI;  T;  A'  ==>  7. 

5.  //  E;  ^;r;A  =>  (A  affirms  A)  at  I  and  E;  T;  A',  A[7]  =*  (K  affirms  C )  at  T  and  S;  ^  (= 
/  D  If  then  E;  'I';  T;  A',  A  ==$■  ( K  affirms  C)  at  If 

Proof.  See  Appendix  B.3.  □ 

Theorem  2  (Identity).  For  any  proposition  A,  E;  VH;  T;  A[I]  =>■  A[I']  ifT,-,  \Er  |=  /  D  If 

Proof.  See  Appendix  B.l.  □ 

Cut  elimination  usually  refers  to  the  explicit  elimination  of  cut  as  a  rule  of  inference  from  the 
sequent  calculus.  It  follows  by  a  simple  structural  induction  from  the  admissibility  of  cut,  and  is 
therefore  omitted  here. 

In  a  hybrid  logic  like  77-logic,  we  expect  another  important  property:  if  we  can  establish  A[I], 
then  we  should  be  able  to  establish  A[P]  for  every  subset  I'  of  I.  This  property,  called  subsumption, 
is  formally  captured  by  the  following  theorem. 

Theorem  3  (Subsumption).  //E;  'k  | =  I  D  If  then  the  following  hold: 

1.  //E;^;T;  A  =>  A[I\,  then  E;^;r;A  =>  A[I'}. 

2.  If  E;  d7;  T;  A  =>  ( K  affirms  A)  at  I,  then  E;  47;  T;  A  =>  (. K  affirms  A)  at  If 

Proof.  See  Appendix  B.2.  □ 

We  now  state  some  simple  theorems  that  hold  in  the  logic.  Equally  important  are  properties 
that  cannot  be  established  in  their  full  generality.  We  write  h  A  to  mean  A  and  \f  A  to 

mean  that  \-  A  cannot  be  derived  in  full  generality.  Similarly  \=  I  D  I'  means  that  •  | =  I  D  If 

1.  \f  ((A  @  I)  —o  (A  @  I'))[I"] 

2.  h  ((A  @  I)  -o  {A  @  I'))[I"]  if  |=  I  D  I' 

3.  h  ((A  @  I  @  T)  -o  (A  @  /))[/"] 

4.  h  ((A  @  I)  -o  (A  @  I  @  I'))[I"} 

5.  h  (((A  O  B)  @  I)  -o  ((A  @  /)  ®  {B  @  /)))[/'] 

6.  h  (((A  @  /)  ®  (B  @  /))  -o  ((A  0  B)  @  /))[/'] 

7.  VA[I] 

The  first  property  states  that,  in  general,  A  @  I  does  not  imply  A  @  If  In  the  special  case  where 
/  is  a  superset  of  If  this  is  true  (second  property).  The  next  two  properties  capture  the  nature  of 
nested  @  connectives:  A  @  I  @  I'  and  A@  I  are  equivalent.  Properties  (5)  and  (6)  imply  that  @ 
distributes  over  0.  The  last  property  states  consistency  —  not  every  formula  is  provable  a  priori 
in  the  logic. 

The  says  connective  (. K)A  is  similar  to  a  lax  modality  [16].  It  satisfies  the  following  theorems: 

1.  b  (A^>{K)A)[I\ 

2.  b  (((K)(K)A)  —o  (K)A)[I] 


9 


3.  P  (((K)(A  -o  B))  -o  ((( K)A )  -  ((K)B)))[I] 

4.  \/(({K)A)^>A)[I\ 

As  a  general  design  decision,  we  have  kept  the  interaction  between  temporal  constraints  and 
logical  reasoning  as  simple  as  possible.  In  particular,  we  do  not  permit  splitting  of  intervals  into 
sub-intervals  during  logical  reasoning.  For  example,  even  if  I U  I'  =  I"  we  can  not  prove  in  general 
that  A@I  and  A@I '  imply  A@I" .  For  proof-carrying  authorization  (discussed  in  the  next  section), 
this  means  in  order  to  demonstrate  continuous  right  to  access  a  resource  over  a  given  interval  there 
must  be  a  uniform  proof  over  the  whole  interval,  unless  special  policy  axioms  are  introduced.  The 
logic  can  easily  be  generalized  to  permit  the  splitting  of  intervals,  but  the  theorem  proving  problem 
becomes  significantly  more  difficult.  Jia  [23]  provides  an  analysis  of  this  trade-off  in  the  setting  of 
reasoning  about  imperative  programs  using  a  heap. 

3  Proof-Carrying  Authorization  with  //-logic 

In  this  section,  we  describe  applications  of  //-logic  to  PCA.  The  main  merit  of  using  //- logic  for 
PCA  is  that  the  temporal  validity  of  policies  and  credentials  is  reflected  in  the  formulas  of  the 
logic,  thus  bringing  the  formalized  policies  closer  to  their  intended  meaning.  We  review  the  Grey 
system  [5,  6]  in  section  3.1  and  use  it  as  an  example  to  illustrate  our  PCA  approach  in  section  3.2. 
In  section  3.3,  we  comment  on  the  feasibility  of  using  //-logic  in  PCA.  Finally,  we  formalize  some 
of  our  claims  about  enforcement  in  section  3.4. 

3.1  Review  of  the  Grey  System 

The  Grey  system  is  an  architecture  for  universal  access  control  using  proof-carrying  authorization 
with  smartphones.  The  Grey  testbed  is  an  implementation  of  keyless  access  control  on  office  doors 
and  computers,  developed  and  currently  deployed  on  one  floor  in  the  Collaborative  Innovation 
Center  at  Carnegie  Mellon  University.  Each  office  door  is  equipped  with  a  processor  that  runs 
a  proof-checking  engine  based  on  a  logical  framework.  The  processor  controls  an  electronic  relay 
which  can  unlock  the  door. 

Enforcement  of  access  control  follows  the  standard  PCA  approach:  a  person  desiring  access  to 
an  office  uses  her  cellphone  to  communicate  with  the  office’s  door,  sending  it  a  proof  that  she  is 
allowed  access.  This  proof  is  checked  by  the  proof-checking  engine  in  the  door,  and  if  the  proof  is 
correct,  the  processor  unlocks  the  door  through  the  relay. 

Two  simple  policies  in  Grey  are  the  following: 

1.  A  person  may  enter  her  own  office. 

2.  A  person  may  enter  an  office  not  belonging  to  her,  if  authorized  to  do  so  by  the  owner  of  the 
office. 

In  addition  to  policies,  authorization  in  Grey  relies  on  credentials  issued  by  individual  users  that 
authorize  other  users  to  enter  their  offices.  They  are  used  in  conjunction  with  the  second  policy. 
Physically,  these  credentials  are  digitally  signed  X.509  certificates.  For  pragmatic  reasons,  most  of 
these  credentials  are  time-bound:  they  are  not  valid  forever  because  one  usually  does  not  want  to 
allow  another  person  to  access  her  office  indefinitely. 
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Each  policy  statement  and  each  available  credential  is  converted  to  a  formula  in  Grey’s  logic. 
An  individual  wanting  access  must  not  only  provide  the  door  with  a  proof,  but  also  any  credentials 
used  in  the  proof  that  the  door  may  be  unaware  of.  In  addition  to  checking  the  proof,  the  door 
also  checks  the  new  credentials.  If  both  checks  succeed,  the  door  opens.  Otherwise,  it  does  not. 

Grey’s  current  logic  is  oblivious  to  time.  As  a  result,  the  validity  bound  on  a  credential  is  ignored 
when  the  credential  is  imported  into  the  logic.  For  example,  suppose  Bob  signs  the  credential  “Allow 
Alice  to  enter  my  door  (valid  from  1/1/08  to  1/31/08).”  If  the  predicate  may_enter(A'i,  K2)  means 
that  K\  is  allowed  to  enter  AY s  office,  then  this  credential  may  be  imported  into  Grey’s  logic  as  the 
formula  (Bob) may_enter( Alice,  Bob).  The  validity  bound  of  the  credential  is  ignored  in  the  logic. 
Policies  are  treated  similarly  —  their  validity,  if  any,  is  ignored.  Consequently,  proofs  are  ignorant 
of  time,  and  it  is  possible  to  obtain  a  seemingly  correct  proof  in  the  logic  depending  on  formulas 
derived  from  expired  credentials. 

In  order  to  rectify  this  problem  and  correctly  enforce  the  time  bounds  in  credentials,  Grey  uses 
an  extra-logical  mechanism.  In  addition  to  checking  that  a  submitted  proof  and  credentials  are 
correct,  a  door  also  checks  that  all  credentials  used  in  the  proof  are  valid  at  the  time  of  access. 
Although  secure  and  efficient  in  practice,  this  method  divorces  time  from  the  logic,  making  reasoning 
in  the  logic  inaccurate  with  respect  to  time.  In  particular,  proof  construction  has  to  be  augmented 
with  a  similar  external  time  check.  Otherwise,  correct  but  expired  proofs  may  be  constructed. 
Furthermore,  any  meta-level  analysis  of  the  policies  using  the  logic  will  be  inaccurate  with  respect 
to  time. 

3.2  Grey  in  77-logic 

In  77-logic,  we  can  model  time-bounded  credentials  accurately.  We  illustrate  this  using  policies 
from  the  Grey  system.  As  before,  let  the  predicate  may_enter(A'i,  K2)  mean  that  K\  is  allowed  to 
enter  AY s  office.  We  assume  the  existence  of  an  administrating  principal,  admin,  who  dictates  all 
policies.  For  this  example  and  all  subsequent  ones,  we  assume  that  time  is  represented  by  points 
on  the  real  line,  and  intervals  in  the  logic  are  intervals  on  the  real  line. 

To  open  AYs  door  at  time  t,  K\  must  submit  a  proof  showing  that  the  following  judgment  is 
derivable  from  the  available  policies  and  credentials:  (admin) may _enter(AY  AY[T  t],  [t,  t]  represents 
the  closed  point  interval  for  time  t.  Observe  that  the  judgment  that  must  be  established  to  gain 
access  directly  incorporates  time.  This  is  in  sharp  contrast  to  Grey’s  existing  approach,  where  time 
is  external  to  the  logic. 

Grey’s  policies  described  earlier  can  be  imported  as  the  following  unrestricted  hypotheses  in 
77-logic. 

1.  (admin)VA'.  may_enter(AT,  AT)[(— 00,  00)] 

2.  (admin)VAd .  VAY  ((A’2)may_enter(ATi,  K2)  — 1 3  may_enter(AY  AY ) ) I ( — 00,  00)] 

Here  we  have  assumed  that  both  policies  are  valid  indefinitely,  i.e. ,  on  the  interval  (—00,  00).  If  the 
policies  are  valid  for  only  a  finite  duration  of  time,  one  may  replace  (—00,  00)  with  the  appropriate 
interval. 

A  critical  observation  is  that  we  assume  that  these  formulas  are  unrestricted  hypotheses  because 
they  may  be  used  many  times.  This  does  not  apply  to  credentials  issued  by  individuals  to  allow 
others  to  enter  their  offices.  For  example,  Bob  may  allow  Alice  to  enter  his  office  once  between 
1/1/08  and  1/31/08  by  issuing  a  certificate  that  is  imported  as  the  linear  hypothesis: 
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3.  (Bob) may _enter( Alice, Bob)[l/1/08, 1/31/08] 

It  is  instructive  to  check  that,  using  the  unrestricted  hypotheses  (1)  and  (2)  and  the  linear  hy¬ 
pothesis  (3),  it  is  possible  to  derive  (admin)  may_enter(Alice,  Bob)  [t,t]  for  any  t  in  the  time  interval 
[1/1/08, 1/31/08].  Also,  it  is  impossible  to  derive  the  same  judgment  if  t  does  not  lie  in  this  interval. 
Thus,  qualifying  formulas  explicitly  with  intervals  on  which  they  are  true  makes  proof  construction 
in  the  logic  accurate  with  respect  to  the  time  bounds  on  credentials. 

3.3  Implementing  PC  A  with  //-logic 

As  described  above,  allowing  explicit  time  in  a  logic  bridges  the  gap  between  time-dependent 
credentials  and  their  representation  in  the  logic.  The  question  then  is  whether  this  approach  offers 
any  advantages  over  traditional  implementations  of  PC  A. 

The  primary  issue  is  efficiency.  At  first,  one  might  think  that  adding  time  to  the  logic  would 
slow  proof-checking.  While  a  comprehensive  assessment  of  the  efficiency  of  proof-checking  can  only 
be  made  with  a  real  implementation,  we  show  in  section  3.4  that  a  reasonable  fragment  of  the 
logic  (namely,  one  in  which  there  are  no  nested  @  and  D  connectives),  can  be  implemented  using 
the  same  method  that  Grey  uses  to  enforce  time-dependence  of  credentials:  proof-checking  and 
proof  construction  are  done  in  oblivion  to  time,  and  validity  of  certificates  at  the  time  of  access 
is  ascertained  separately.  This  fragment  is  large  enough  to  express  all  policies  of  Grey,  and  other 
existing  PC  A  based  systems. 

Thus,  existing  PC  A  systems  can  be  implemented  in  //-logic  without  loss  of  efficiency.  At  the 
same  time,  there  are  several  merits  in  making  time  explicit  in  the  logic.  First,  policies  and  creden¬ 
tials  are  reflected  more  accurately  in  the  logic.  They  therefore  become  amenable  to  more  accurate 
meta-level  policy  analysis,  such  as  an  analysis  for  security  loopholes.  Second,  leveraging  the  exist¬ 
ing  constraint-solving  mechanism,  one  can  model  complex  policies,  policies  that  are  intractable  in 
previously  proposed  logics.  Examples  in  section  4  include  such  policies.  Third,  with  time-aware 
formulas,  one  cannot,  even  accidentally,  construct  a  proof  that  is  invalid  due  to  a  time-dependence. 
This  reduces  the  risk  of  unanticipated  access  denials. 

We  anticipate  new  challenges  if  PC  A  is  implemented  using  a  fragment  of  //-logic  larger  than  the 
one  described  above.  An  important  issue  that  arises  in  proof  search  is  certificate  chain  discovery: 
determining  which  credentials  are  relevant  for  a  proof.  In  a  time-aware  logic,  this  problem  is 
exacerbated,  since  this  process  has  to  incorporate  temporal  validity  of  certificates.  However,  there  is 
a  trade-off  here:  at  the  cost  of  more  work,  the  final  proof  is  guaranteed  to  be  accurate.  Alternatively, 
one  may  choose  to  ignore  time  during  proof  search.  In  that  case,  certificate  chain  discovery  would 
revert  to  its  usual  complexity  (and  time-dependent  inaccuracy). 

An  essential  component  that  must  be  built  into  any  realistic  implementation  of  //-logic  is  a 
constraint  solver.  For  simple  constraints  such  as  I  D  I'  that  we  have  seen  so  far,  this  appears  to  be 
relatively  straightforward.  Furthermore,  most  policies  arising  in  practice  do  not  require  parameters 
in  constraints.  This  trivializes  the  constraint  solving  problem  to  checking  containment  over  ground 
intervals.  Even  if  one  wished  to  be  more  ambitious  by  allowing  other  kinds  of  constraints  for  use 
in  policies,  previous  work  in  constraint  logic  programming  suggests  that  a  large  number  of  useful 
constraint  domains  are  tractable  in  practice  (see  [22]  for  a  survey). 

An  interesting,  open  problem  in  implementing  PCA  with  //-logic  is  the  treatment  of  linearity. 
Since  linear  hypotheses  and  the  corresponding  credentials  must  be  consumed  only  once,  a  mecha¬ 
nism  for  tracking  their  use  is  required.  If  all  linear  credentials  are  maintained  in  a  central  database, 
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this  is  relatively  straightforward.  It  is  less  clear,  however,  whether  there  is  a  uniform  way  of  doing 
this  in  a  completely  distributed  setting.  Some  initial  ideas  using  contract  signing  protocols  have 
been  described  earlier  [10]. 

3.4  Enforcement  for  a  Fragment  of  //-logic 

The  objective  of  this  section  is  to  show  that  Grey’s  method  of  checking  credential  validity  at  the 
time  of  request  as  a  separate  step  after  proof-checking  can  also  be  used  for  the  fragment  of  //-logic 
without  the  connectives  @  and  D.  This  fragment  does  not  preclude  intervals  in  top-level  judgments 
such  as  A[I]  and  A[/J .  It  covers  all  systems  in  which  time  is  used  only  to  bound  the  validity  of 
credentials,  but  not  inside  the  text  of  credentials,  including  all  policies  of  the  Grey  system. 

In  order  to  formally  describe  our  result  we  need  a  logic  without  time  which  is  otherwise  similar 
to  //-logic.  We  choose  the  logic  of  [18],  since  our  logic  is  derived  from  it.  For  the  lack  of  a  better 
name,  we  call  this  logic  ([-logic  ((  being  the  predecessor  of  ?/  in  the  Greek  alphabet),  ([-logic 
may  be  understood  as  the  simplification  of  //-logic  obtained  by  erasing  intervals  and  constraints 
from  formulas,  judgments,  sequents,  and  proof  rules.  The  uninitiated  reader  may  skip  this  section 
without  affecting  readability  of  the  remaining  report. 

Let  F  denote  formulas  which  do  not  contain  the  connectives  @  and  D.  Such  formulas  are  in 
the  syntax  of  ([-logic.  Let  0  and  A  denote  multisets  of  such  formulas,  representing  unrestricted 
hypotheses  and  linear  hypotheses  in  ([-logic,  respectively.  Let  I  denote  a  list  of  ground  intervals. 
Furthermore,  if  0  =  F\, . . . ,  Fn,  and  I  =  I\, ...  ,In,  let  0[/J  denote  the  set  of  unrestricted  hypothe¬ 
ses  F\  [l)], . . . ,  Fn[/n]  in  //-logic.  Define  A[/']  similarly.  Also,  let  S  be  the  same  as  E  except  for  the 
absence  of  interval  parameters. 

All  sequents  in  this  fragment  of  //-logic  have  one  of  the  forms  E;  T;  0[/];  A[/']  =>  F[I"\  or 
E;  'L;  0[/|;  A[/']  =>  (I<  affirms  F)  at  I" . 

Our  idea  for  implementing  PCA  with  this  fragment  of  //-logic  is  the  following.  Whenever  a 
principal  needs  to  prove  E;  ’F;  0[J];  A[/']  F[I"],  she  instead  proves  that  E;0;A  =>■  F  in  (- 

logic.  The  proof  checker  verifies  this  proof  in  ([-logic,  and  checks  that  each  interval  in  /  and  I'  is 
a  superset  of  I" .  As  the  following  theorem  shows,  the  success  of  these  two  checks  implies  that  the 
original  sequent  is  provable  in  //-logic. 

(A  priori,  this  result  was  not  obvious  to  us  because  intervals  mentioned  in  the  last  sequent  of 
a  proof  interact  with  subformulas  in  other  sequents  of  the  proof.  It  seemed  entirely  possible  that 
some  subtle  consequence  of  these  interactions  would  not  be  captured  by  simply  checking  that  each 
interval  in  I  and  I'  is  a  superset  of  I".) 

Theorem  4.  Suppose  E;  T  \=  I'"  D  I "  for  each  I'"  €  I  and  for  each  I'"  E  I' .  Then, 

1.  If  E;  0;  A  ==>  F  in  (,-logic ,  then  E;  tH;  @[/];  A  [I']  = =>•  F[I"]  in  7]-logic. 

2.  If  E;  0;  A  K  affirms  F  in  (-logic,  then  E;  T;  0[/J;  A[I']  ( K  affirms  F )  at  I"  in  rj-logic. 

Proof.  See  Appendix  C.l.  □ 

Thus,  on  the  fragment  without  @  and  D,  proof-checking  in  a  logic  without  time,  together  with 
simple  containment  checking  for  intervals  soundly  approximates  proof-checking  in  //-logic.  One 
might  also  expect  the  converse  to  hold,  namely  that  whenever  E;  T;  ©[/];  A[I']  =>  F[I"]  holds  in  //- 
logic,  E;  0;  A  =>  F  holds  in  ([-logic  and  for  each  interval  I'"  £  I  and  each  I'"  £  I1,  E;  T  |=  I'"  D  I" . 
This  is  partially  correct:  given  that  the  //-logic  sequent  is  provable,  the  former  holds  as  the  following 
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theorem  shows,  but  the  latter  may  not.  The  reason  is  quite  straightforward:  the  consequent  of 
the  sequent  may  not  depend  on  some  assumptions  in  0,  and  the  intervals  associated  with  such 
assumptions  may  have  no  relation  to  I" . 

Theorem  5. 

1.  7/E;tt;0[/);A[J']  = 

//£;T;0[/];A[/']  = 

Proof.  See  Appendix  C.2 

4  Expressiveness  of  r/-logic:  More  Examples 

Besides  modeling  time-bounded  credentials,  ?]-logic,  through  its  combination  of  explicit  time  and 
constraints,  can  also  be  used  to  express  very  complicated  policies.  We  illustrate  this  expressive¬ 
ness  through  two  hypothetical  examples.  The  first  example  describes  the  policies  of  a  homework 
assignment  administration  system  at  a  university.  In  addition  to  time,  this  example  uses  linearity 
to  model  changes  of  state.  The  second  example  describes  the  policies  of  a  peer  review  publication 
process. 

A  Homework  Assignment  Administration  System.  We  consider  the  policy  of  a  hypothetical 
homework  administration  system  in  a  university.  Time  is  used  to  explicitly  encode  the  release  and 
due  dates  of  each  assignment.  The  policies  allow  professors  to  create  assignments  for  the  courses 
they  teach  and  adjust  their  release  and  due  dates.  Students  can  view  an  assignment  after  the 
release  date  and  submit  it  before  the  due  date.  Modeling  this  policy  creates  complex  interactions 
between  time  and  authorization  that  cannot  be  captured  without  either  a  connective  like  @  or 
constraints. 

We  use  the  meta-variable  A  to  denote  assignments,  C  for  courses,  P  for  professors,  and  S 
for  students.  The  predicates  (with  their  intuitive  meanings)  and  policies  used  in  this  example 
are  summarized  in  Figure  2.  As  a  syntactic  convention,  we  assume  that  <g>,  —o,  and  D  are  right 
associative  and  that  the  binding  precedences  are,  in  decreasing  order:  ();  — o  and  D;  V.  We 

write  t  G  I  as  an  abbreviation  for  I  D  [t,t],  and  t  >  t'  as  an  abbreviation  for  t  €  [t\  oo). 

As  may  be  expected,  all  policy  rules  are  unrestricted  hypotheses  that  are  valid  forever.  This  is 
indicated  by  the  annotation  [(— oo,oo)]  on  each  policy  rule. 

We  assume  an  administrating  principal,  admin.  At  the  beginning  of  each  semester,  this  principal 
issues  credentials  to  students  registered  for  courses  and  professors  teaching  courses.  These  must 
be  presented  later  (perhaps  many  times)  to  view,  submit,  and  change  assignments.  As  a  result, 
they  are  unrestricted  hypotheses.  They  have  the  logical  forms  (admin) is_student(5,  C)\Sem\  and 
(admin) is_professor(P,  (7) [Sem]  respectively,  where  Sem  denotes  the  semester  under  consideration. 

A  professor  P  can  create  an  assignment  A  in  a  course  C  by  issuing  a  credential  stating 
(i->)is_assignment(A,  C)[tr,  tf\-  The  time  points  tr  and  td  stand  for  the  release  and  due  dates  of 
the  assignment,  respectively.  [tr,td]  denotes  the  closed  interval  between  these  time  points.  We 
require  that  such  credentials  be  linear  hypotheses.  If  instead  they  were  unrestricted,  then  there 
would  be  no  logical  mechanism  to  change  the  release  and  due  dates  after  creating  an  assignment. 

To  view  an  assignment  A  in  course  C  at  time  t,  a  student  S  must  be  able  to  prove  the  judgment 
(admin)  may  _view(5,  A,  C)[t,  t].  The  policy  rule  named  view  allows  students  to  do  this.  We  assume 


F[I"],  then  E;  0;  A  =>  F  in  ( '-logic . 

(. K  affirms  F)  at  I" ,  then  5;  0;  A  =>  K  affirms  F  in  (, -logic. 


□ 
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Predicates 

request_view(A,  C ) 
request_submit(A,  C) 
is_professor(P,  C ) 
is_student(5,  C) 
is_assignment(A,  C) 
may_view(S,  A,  C ) 
may_submit(5,  A,  C ) 
change_date(A,  C.  t'r,t'd) 


Policies 


A  request  to  view  assignment  A  of  course  C . 

A  request  to  submit  answers  for  assignment  A  of  course  C . 
P  is  a  professor  for  course  C. 

S  is  a  student  enrolled  in  course  C. 

A  is  an  assignment  for  the  students  in  course  C . 

S  may  view  assignment  A  of  course  C . 

S  may  submit  answers  for  assignment  A  of  course  C. 

A  request  to  change  the  release  and  due  dates  for  assignment 
A  of  course  C  to  t'r  and  t'd,  respectively. 


view  :  ((5}request_view(A,  C)  @  [t,t]  —° 

(admin)  is_student(<S,  C )  @  [t.  t]  D 
(P)is_assignment(A, C)  @  [tr,td\  — 0 
(admin) is_professor(P,  C)  @  [ tr,td \  D 
(t  >  tr)  D 

(admin) may _view(5,  A,  C)  @  [t,t]  (8> 
(P)is_assignment(A,  C)  @  [tr,trf])[(— oo,  oo)] 

submit  :  ((S)request_submit(A,  C)  @  [t,t] 

(admin)  i s_st u d e n t  ( S'.  C)  @  [t.  t]  D 
(P)is_assignment(A,  C)  @  [tr,td\ 

(admin) is_professor(P,  C)  @  [tr,td]  Z> 

(t  G  [tr,td])  D 

(admin)  may_submit(<S,  A,  C)  @  [t,t]  ® 
(P)is_assignment(A,  C)  @  [tr,  td])[(— oo,  oo)] 

change  :  ((P)change_date(A,  C,  t'r,  t'd)  — o 
(P)is_assignment(A,  C)  @  [tr,td] 

(admin)  is_professor(P,  C)  D 
(P)is_assignment(A,  C)  @  [t'r,  ty)[(— oo,  oo)] 


Figure  2:  Predicates  and  policies  for  a  homework  assignment  administration  system 


an  implicit  universal  quantification  over  the  variables  S,  A,  C,  t,  P,  tr,  and  td.  Intuitively,  this  rule 
states  that  a  student  S  may  view  an  assignment  A  in  course  C  at  time  t  by  issuing  a  credential 
(5)request_view(A,  C)  valid  at  the  time  of  request,  [t,  t],  if  the  following  can  be  established: 

1.  (admin) is_student(S,  C)@[f,  t],  i.e.,  the  student  is  registered  for  the  course  at  the  time  of 
request.  To  establish  this,  the  student  must  use  the  credential  she  received  from  admin  at 
the  beginning  of  the  semester. 

2.  (P)is_assignment(A,  C)  @  [tr,td],  i.e.,  a  professor  P  states  that  A  is  an  assignment  of  course 
C  with  release  date  tr  and  due  date  td- 
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3.  (admin)  is_professor(P, C)  @  [tr,td\,  i.e.,  P  is  a  professor  teaching  the  course  C  for  the  entire 
duration  of  the  assignment.  This  can  be  established  using  the  credential  issued  by  admin  to 
the  professor. 

4.  t  >  tr,  i.e.,  the  time  of  request  is  after  the  release  of  the  assignment.  This  preempts  attempts 
to  read  the  assignment  before  it  is  officially  released. 

If  each  of  these  four  conditions  are  satisfied,  then  the  student  may  view  the  assignment.  There  are 
two  important  observations  to  be  made  here.  First,  the  linear  hypothesis  (P)is_assignment(J4,  C )  @ 
[tr,td]  consumed  in  condition  2  is  regenerated  at  the  end.  Second,  explicit  time  is  crucial  for 
modeling  the  constraint  t  >  tr.  Such  a  policy  rule  cannot  be  modeled  using  only  time  bounds  on 
credentials. 

Similarly,  the  submit  policy  rule  allows  a  student  S  to  submit  an  assignment  between  its  release 
and  due  dates  by  issuing  a  credential  of  the  form  (S')request_submit(J4,  C)[t,t\.  In  this  case  the 
objective  is  to  establish  that  (admin)may_submit(S',  A,  C)  @  [t,t],  where  t  is  the  time  at  which  the 
submission  is  made. 

Our  final  policy  rule,  change,  illustrates  the  use  of  linearity  in  modeling  change  of  state.  It 
allows  a  professor  P  to  change  the  release  and  due  dates  of  an  assignment  A  in  a  course  C  he  is 
teaching  by  issuing  the  credential  (P)change_date(^4,  (7,  t'rl  t'd),  where  t'r  and  t’d  are  the  new  release 
and  due  dates  of  the  assignment.  The  policy  consumes  the  earlier  hypothesis  defining  the  release 
and  due  dates  of  the  assignment  and  replaces  it  with  a  new  one.  For  this  to  work  properly,  it  is 
essential  that  such  hypotheses  be  linear,  not  unrestricted.  Failure  to  ensure  this  would  result  in 
two  hypotheses  defining  the  release  and  due  dates  of  the  same  assignment  after  application  of  the 
rule. 

A  Peer  Review  Publication  Process.  We  further  illustrate  the  expressiveness  of  our  logic  by 
describing  the  policies  of  a  hypothetical  peer  review  and  publication  process  of  an  academic  journal. 
This  example  differs  slightly  from  the  previous  example  in  that  the  policies  are  not  fixed.  Instead, 
they  are  created  by  principals  using  templates. 

We  use  the  meta-variable  A  to  range  over  articles  considered  for  publication,  R  and  K  for 
reviewers,  J  for  journals,  and  E  for  editors.  The  predicates  and  policies  used  in  this  example  are 
summarized  in  Figure  3.  An  important  point  to  observe  is  that  the  policies  are  not  issued  by  fixed 
principals;  instead,  each  editor  and  each  journal  issues  credentials  containing  the  policies. 

We  stipulate  that  each  journal  J  appoint  an  editor  E  during  time  period  I  by  issuing  the 
credential  (J)is_editor(£',  </)[/].  The  editor  E  can  then  declare  R  a  reviewer  for  article  A  from  time 
t  onward  by  issuing  the  credential  (£')is_reviewer(i?,  A,  J)[[£,  oo)]. 

In  addition,  E  can  start  accepting  reviews  by  issuing  a  credential  that  establishes  the  accept 
policy.  While  issuing  the  credential,  the  editor  should  instantiate  Ie  to  the  interval  over  which 
reviews  may  be  accepted.  All  variables  other  than  E  and  Ie  are  assumed  to  be  universally  quan¬ 
tified.  Once  established,  the  policy  allows  an  appointed  reviewer  R  to  submit  a  review  on  article 
A  at  time  ta  by  signing  the  credential  (i?)is_approved(A,  R,  J)[ta,ta].  If  ta  €  Ie  the  policy  can  be 
used  to  conclude  that  the  editor  considers  the  article  approved. 

In  an  analogous  manner,  each  journal  J  can  establish  a  publishing  policy  by  issuing  a  credential 
following  the  form  of  publish.  In  issuing  this  credential,  Ij  should  be  instantiated  to  the  interval 
during  which  articles  are  accepted  for  publication.  All  variables  other  than  J  and  Ij  are  assumed 
to  be  universally  quantified.  Once  established,  the  policy  states  that  if  an  editor  E  says  at  time  ta 
that  an  article  A  has  been  approved,  and  ta  is  in  Ij,  then  the  article  is  considered  published  from 
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Predicates 


is_approved(A,  K,  J) 
is_reviewer(/?,  A,  J) 
is_editor(Fl,  J) 
is_published(A,  J) 

Policies 


Article  A  is  approved  by  principal  K  for  publication  in  journal  J . 
R  is  the  reviewer  for  article  A  submitted  to  journal  J . 

E  is  an  editor  for  journal  J . 

Article  A  is  published  in  journal  J . 


approve  :  (£?}((i?)is_approved(A,  R,  J)  @  [ta,ta]  —° 
is_reviewer(ii,  A,  J)  @  [ta,  ta\  D 

( ta  €  IE)  D 

is_approved(A,  E ,  J)  @  [ta,  oo))[(— oo,  oo)] 

publish  :  ( J)((£)is_approved(A,  E,  J)  @  [ ta,t'a ]  — ° 
is_editor(S,  J)  @  [ta,ta]  D 
{ta  €  Ij )  D 

is_published(A,  J)  @  [ ta ,  oo))[(— oo,  oo)] 


Figure  3:  Predicates  and  policies  for  a  peer  review  publication  process 


time  ta  onward. 

5  Conclusion 

This  report  has  presented  a  logic  that  combines  time,  linearity,  hybrid  worlds,  and  authorization 
in  a  novel  way.  Our  proof-theoretic  approach  resulted  in  a  clean  meta-theory.  Among  other 
properties,  we  established  cut  elimination.  We  also  showed  that  a  reasonably  expressive  fragment 
of  our  logic  can  be  enforced  in  a  PCA  architecture  in  a  straightforward  manner.  Through  examples, 
we  illustrated  the  expressiveness  of  the  logic  and  demonstrated  scenarios  which  cannot  be  modeled 
in  earlier  proposals. 

An  important  topic  that  remains  open  is  the  analysis  of  policies  written  in  the  logic.  We  expect 
that  work  from  prior  logics,  particularly  non-interference  theorems  [19],  will  carry  over  to  ?^-logic. 
It  will  be  interesting  to  study  how  these  theorems  interact  with  time. 
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A  Complete  //-logic  Sequent  Calculus 

The  complete  set  of  inference  rules  of  //-logic  are  summarized  below.  We  extend  the  formulas  of 
the  logic  to  include  all  of  the  standard  formulas  of  intuitionistic  linear  logic,  with  the  exception  of 
additive  falsehood,  0.  0  is  not  included  in  the  logic  because  we  believe  it  to  be  a  security  risk:  from 
the  assumption  0  @  I',  one  can  conclude  any  fact.  The  syntax  of  formulas  is: 

A,  B  ::=  P\A®B\1\A&B\T\A®B\A^>B\AdB\  Vx:s.A  |  A  @  I  |  ( K)A  \  ID  I' 

The  new  formulas  do  not  interact  with  time  in  interesting  ways:  they  follow  the  pattern  by  which 
the  ®  connective  interacts  with  time.  The  proofs  given  in  subsequent  appendices  include  these 
formulas. 


Basic  Rules 


E;  4/  \=  I  D  I'  ( P  atomic) 

E;  T;  T;  P[I]  =>  P[I'}  mit 


A  @  I 


E;T;r;A^A[/] 


E;  T;  T;  A  =>  A  @  /[/'] 


7T  @R 


I  DP 


E;  T  | =  IDT 
E:  T:  F;  ■  =>  ID  /'[/" 


DR 


Affirmation  and  ( K)A 


E;T;r;A^A[I] 


E;  T;  T;  A  =>  ( K  affirms  A)  at  I 


affirms 


copy 


@L 


E;T;r,A[J];A,A[J]  =»  7 
E;tf;r,A[I];A=j>7 

E;T;r;A,A[J]  =7  7 
E;  T;  T;  A,  A  @  I  [I1]  ^7 

E;T,/  D  I';T;  A  7 

E;^;r;A,/D/'[/w]  =5>7 

E;  4/;  T;  A  =>  ( K  affirms  A)  at  I 

E;T;r;A=7(A')A[/] 


OR 


E;  T;  A,  A[I]  = 7-  (K  affirms  B)  at  /'  E;  T  |=  /  D  I' 
E;  T;  T;  A,  (K)A[I\  (K  affirms  B)  at  T7 


0  L 
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Other  Connectives 


S;^;r;A i=^A[I\  S;  T;  A2  ==>  B[I] 
E;  T;  Ai,  A2  =>  A  <g>  5[J] 

1/? 


<g>i? 


S;^;r;A,A[/],.B[/]  =>7 

E;^;r;A,A®  5[J]  =7  7 
S;vI/;r;A^7 


<8>L 


s;^;r; 


■=►![*]  S;vh;r;A,l[/]^7 

E;  T;  A  =7>  A[I]  E;  T;  A  =>  B[I] 


1 L 


S;^;r;A  =>  d&5[/] 


E;vfr;r;A,d[J]  ^7 
E;^;r;A,d&£[/]  =^7 


&Li 


S;  'h;  T;  A  ==>  T[7] 


S;^;r;A,g[7]  =»7 
E;^;r;  A,A&B[i]  =►  7 

T  i? 


SzLo 


E;tf;r;A=>A[i] 


©i?l 


E;®;r;A=>S[i] 


E;^;r;  A  =►  A©B[J]  E;  VH;  T;  A  =>  d  ©  I?[I] 

E;tf;r;A,A[il=>7  E;  'h;  T;  A,  B[I]  =7  7 


©i?2 


S;^;r;A,A®S[/]  ^7 
E,  ^interval;  'h,  I  D  i;  T;  A,  A[i]  =>■  B[i] 


@L 


oR 


S;f;r;A=7i-oB[/] 

S;  T;  A!  ==>  A[I']  E;fr  |=  /  D  V_  E;  T;  A2,B\I'\  =>  7 
S;^;r;A1,A2,A^5[J]  ^7 


E;®;r;.=^A[i] 


!i? 


E;®;r,A[il;A=>7 


E;  T;  •  ^  \A[I\  -±L  E;  ;  T;  A,  !A[i]  =>  7 

E,  i:interval;  'h,  /  D  i;  T,  A[iJ;  A  ==>  f?[i]  ^ 

E;f;r;A^4D8[/]  Di? 

E;  T;  ■  =►  A[I')  E;  ®  |=  I  D  /'  E;  T;  A,  £[/']  =>  7 
E;$;r;A,ylDB[/1^7 


!L 


I)L 


E,  a:s; T;  A  =^>  [a/x]^4[/] 
E;^;r;A  =7  Mx-.s.A[I] 


\/R 


E;®;r;A,[t/x]A[i]  =>7  EhA 

E; T;  A,  Vx:s.A[/]  =77 


VL 


B  Meta-theoretic  Proofs 

B.l  Identity  Principle 

Theorem  2.  If  S;^  f=  I  D  I',  then  E;®;r;A[J]  =>  A[I']. 

Proof.  By  structural  induction  on  the  proposition  A.  We  name  the  given  derivation  V. 
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Case:  A  =  P 


Case:  A  =  Ax®  A2 

£;  ;r;  Hi  [/]=*►  Hi  [/'] 

n,*-,r-,A2[i\=>A2[r] 

S;^;r  ■,A1[I\,A2[I]^A1®A2[I'] 

z-y;r-,A1®A2[i}^A1®A2[r] 

Case:  A  =  1 

S;®;r;l[7]  =>1[J'] 

Case:  A  =  A\  &  A2 

E;tf;r;Hi[7]=s-Hi[J'] 
V;*-,T-,A1kA2[I}=>A1[I' } 
S;^;r  ;H2[7]  =s>H2[J'] 
£;tf;r;Hi&H2[il  =>H2[J'] 
£;*;r;Hi&H2[i]  =>Hi&H2[J'] 


in  it  Rule  on  T> 


I.H.  on  A\  and  V 
I.H.  on  A2  and  V 
®R  Rule  on  previous  lines 
<8 )L  Rule  on  previous  line 


1 R  Rule 

1 L  Rule  on  previous  line 


I.H.  on  A\  and  V 
&lL\  Rule  on  previous  line 
I.H.  on  A2  and  V 
SzL2  Rule  on  previous  line 
Rule  on  second  and  fourth  lines 


Case:  A  =  T 


E;*;r;T[j]  =>t[/'] 

Case:  A  =  A\  ©  A2 


£;tf;r;Hi[7] 

£;*;r;Hi[i] 


Mn 

Ax®  A2[I'\ 

Mi'} 

Ax®  A2[I'] 


£;tf;r;Hi©H2[i]  =>Hi®H2[J'] 

Case:  A  =  Ax  A2 

£,  ^interval;  'P,  I'  D  i'  |=  i!  D  i! 

£,  zhinterval;  'P,  I'  D  z';  T;  A\[i']  =>  Hi[z; 
£,  ^interval;  'P,  I'  D  i'\  T;  H2[z']  ==>  H2[z; 
£,  ^interval;  'P,  I'  D  %'  |=  I  D  I' 

£,  ^interval;  'P,  I'  D  z '  |=  I'  D  z ' 

S,  ^interval;  'P,  I'  D  %'  |=  /  D  z' 

S,  ^interval;  VP,  I'  D  z';  T;  Hi 


T i?  Rule 


I.H.  on  Hi  and  D 
©i?i  Rule  on  previous  line 
I.H.  on  A2  and  D 
©R2  Rule  on  previous  line 
®L  Rule  on  second  and  fourth  lines 


Reflexivity  Property  of  \= 
j  I.H.  on  Hi  and  previous  line 

|  I.H.  on  H2  and  first  line 

Weakening  Property  of  |=  on  T> 
Hypothesis  Property  of  |= 
Transitivity  Property  of  |=  on  fourth  and  fifth  lines 


S;T;r;Hi^H2[I]  =►  Hi 


>  A2[I],  Ai[i’] 
A3[I '} 


A 


2  * 


oL  Rule  on  second,  sixth, 
and  third  lines 
-oR  Rule  on  previous  line 
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Case:  A  =  \A\ 


^■,T,A1[I\-,A1[I\^A1[If] 
E;tt;r,Hi[i];-=>Hi[7'] 
S;^;r  ,A1[I\-,-=>\A1[If] 
E;vP;r;!Hi[7]^!Hi[7'] 

Case:  A  =  A\  D  A2 


I.H.  on  A]  and  V 
copy  Rule  on  previous  line 
!7?  Rule  on  previous  line 
\L  Rule  on  previous  line 


E,  ^interval;  <P,  I'  D  i'  |=  i!  D  i! 

E,  ihinterval;  \P,  I'  ~D  i'\  T,  A\ [7] ;  A\ [i'\  =>  A\[i'] 

E,  ^interval;  \P,  I'  D  ir;  T,  Hi[7];  •  =>  A\[i'] 

E,  ihinterval;  'P,  I'  D  i'\  T,  Hi [7] ;  A2 [*;]  ==^  ^[i'] 

E,  ihinterval;  *P,  I'  D  i'  |=  7  D  I' 

E,  ^interval;  *P,  I'  D  i'  |=  I'  D  i' 


Reflexivity  Property  of  |= 
I.H.  on  Hi  and  previous  line 
copy  Rule  on  previous  line 
I.H.  on  H2  and  first  line 
Weakening  Property  of  |=  on  T> 
Hypothesis  Property  of  |= 


E,  ^interval;  *P,  I'  D  i'  |=  7  D  i' 


Transitivity  Property  of  |=  on  fifth  and  sixth  lines 


E,  ihinterval;  'P,  I'  D  i'\ T,  Hi[7];  Hi  D  H2 [/] 
S;f;r;HiDH2[/]^HiDH2[I'] 


H 


2* 


DL  Rule  on  third,  seventh, 
and  fourth  lines 
DR  Rule  on  previous  line 


Case:  H  =  Vaxs.Hi 


E,  x:s  h  x:s 

S,  x:s]  'P;  T;  Hi  [I]  =>  Hi  [7'] 

E,  x:s;  >P;  T;  Vx:s.Hi  [/]  =^>  Hi [/'] 
E;T;r;V.T:s.Hi[/]  =►  V®:s.Hi[7'] 

Case:  A  =  A1@I" 

E;  \P  =>  7"  D  I" 

E;  r;  Hi  [/"]=>  Hi  [7W] 

E;  T;  T;  Hi  [/"]  =►  Hi  @ 

E;  T;  F;  Ht  @  7"[7]  Hi  @  /"[/'] 

Case:  H  =  ( K)A\ 

E;  ;  r;  Hi  [/]=}►  Hi  [/'] 

E;  T;  T;  Hi  [/]  =►  (77  affirms  Hi)  at  /' 

E;  T;  T;  (77)Hi[7]  =^>  (77  affirms  Hi)  at  T 
S;^;r;(iP)Hi[/]^(iP)Hi[/'] 

Case:  A  =  I2  I3 


S;  T,  72  2  73  |—  I2  2  ^3 
E;T,72  D73;r;-  ^>72D73[7'] 
E;T;r;72D73[7]  ^723  73[7'] 


I.H.  on  Hi  and  V 
ML  Rule  on  previous  lines 
MR,  Rule  on  previous  line 


Reflexivity  Property  of  \= 
I.H.  on  Hi  and  previous  line 
@R  Rule  on  previous  line 
@L  Rule  on  previous  line 


I.H.  on  Hi  and  V 
affirms  Rule  on  previous  line 
( )L  Rule  on  previous  line  and  T> 
()R  Rule  on  previous  line 


Hypothesis  Property  of  |= 
D7?  Rule  on  previous  line 
AL  Rule  on  previous  line 


□ 
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B.2  Subsumption 

Before  we  can  prove  the  subsumption  theorem,  we  must  prove  two  lemmata. 


B.2.1  Transitivity  for  Constraint  Hypotheses  in  the  Constraint  Domain 
Lemma  1.  If  £;  'P,  7  D  I"  (=  C  and  £;  'L  |=  I  D  then  E;  /'  D  I"  |=  C. 

Proof.  Let  V  =  E;  >P,  I  D  I"  |=  C  and  £  =  E;  ^  |=  7  D  7'. 


E  ;tf,7'  D  I"  |  =  ID  I' 

E ;<P,7'  D  I"  |=  /'  D  I" 

£;  'P,  T  D  I"  j  =  7  D  I" 
S;$,ID  7",  7'  D  I"  |=  C 
E;  \P,  7'  D  I”  |=  C 


Weakening  Property  of  [=  on  <5 
Hypothesis  Property  of  |= 
Transitivity  Property  of  |=  on  previous  lines 
Weakening  Property  of  |=  on  D 
Cut  Property  of  (=  on  third  and  fourth  lines 


□ 


B.2. 2  Transitivity  for  Constraint  Hypotheses 

Lemma  2.  If  E;  'P,  I  D  I";  T;  A  =J>  7  and  £;  'P  |=  7  D  then  E;  ,  7'  D  I";  r;  A  =►  7. 
Proof.  By  structural  induction  on  the  first  given  derivation. 

Case: 


V  = 


V 

£;fr,JD  J"  |=  J3P  I4 
E;vP,/D/";r;P[/3]  =►  P[/4] 


init 


1=73  2/4 


Lemma  1  on  ZE  and  £ 
init  Rule  011  previous  line 


Case: 


V  = 


V 

=  E;^,/D/";r',H[/3];A,H[/3]=^7 


E;*,7D7";r',A[73]|;A=>7 


copy 


S;  \P,  /'  D  I"; 
E;®,7'  D  I"; 


r',H[73];A,H[73]: 

r',H[73];A^7 


I.H.  on  ZE  and  £ 
copy  Rule  on  previous  line 


Case: 
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T>i  V2 

J";r;Ai  =^i[J3]  E;<P,Df;r;A2^i2[J3] 

V-,*,IDI''-,r-,A1,A2=>A1®A2[l3] 


<g >R 


E;  I'  D  T;  Ai  =^>  Hi  [J3]  I.H.  on  Pi  and  £ 

E;  VH,  /'  D  J";r;  A2  =►  H2[J3]  I.H.  on  P2  and  £ 

E;  H/,  I'  A  T;  Ai,  A2  ==>  A]  <g>  A2 [/3]  <g>R  Rule  on  previous  lines 


Case: 


V 

^  =  E;d/,/D///;r;A1,R1[/3],A2[/3]  =»  7 

E;$,/DI";r;A1,d1®i2[/3]^7 

I.H.  on  I)'  and  £ 
<8>Z  Rule  on  previous  line 

Case: 


S;  ,  J'  D  T;  A, ,  Hi  [I3] ,  A2  [/3]  =7>  7 

J";r;Ai,H1®H2[J3]=s>7 


P  =  . 


£;tf,IDI";IV=M[J3] 


1R 


E;$,lAl";r;.^l[I3] 


Case: 


1R  Rule 


P  = 


V 

E;l,I3f;r;A1=77 
Ej^/D/^rjA!,!^]  ^>7 


1L 


S;^,/'D/";r;A1^7 

E;$,/'D/";r;A1,l[I3]^7 

Case: 


I.H.  on  V  and  £ 
1L  Rule  on  previous  line 


Pi  P2 

1)  =  S;$,n/";r;A^i1[I3]  S;$,J3I";r;A=>A2[I3] 

£;tf,JDI";r;A=^H1&H2[/3] 


&R 


E;®,/'  D  /";r;  A 
£;¥,/'  D  T;  A 
E;  H/,/'  D  Z" ;  r ;  A 


Hi[J3] 

R2  [I3] 

Hi  &  H2  [/3] 
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I.H.  on  Pi  and  £ 
I.H.  on  P2  and  £ 
&R  Rule  on  previous  lines 


Case: 


V 

r>= 

S;  \Er,  7  2  7";  T;  Ai ,  A\  &  H2  [I3]  =>■  7 


E;tf,7'D7'';r;A1,,41&A2[J3]=^7 

Case: 


V 

T>= 

E;tf,7D7";r;A1,A1&A2[J3]=s>7  2 


E;tf,7'D7";r;A1,,42[73]=S>7 

E;®)/,D/,,;r;A1>A1&A2[/3]=^7 

Case: 


£>  =  . 


E;tf,7D7";r;A=>T[73] 


T  7? 


S;f,7'D7";r;A^T[/3] 


Case: 


V 

D  I"-,T-,A=i>  A1®A2[h] 


©7?i 


S;$,7'D7";r;A^  Ai[73] 


Case: 


V 

v=  S;tt,7D7";r;A=^2[73] 
S;$,7D7";r;A^  ^!®A2[73] 


©i?2 


I.H.  on  D'  and  <5 
&Li  Rule  on  previous  line 


I.H.  on  V  and  £ 
&7y2  Rule  on  previous  line 


T R  Rule 


I.H.  on  D'  and  £ 
©7?i  Rule  on  previous  line 
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D/";r;A^H2[/3] 

X-,*,I,DI»;T-,A=>A1®A2[I3] 


I.H.  on  V  and  £ 
0i?2  Rule  on  previous  line 


Case: 


Vi  V  2 

r>  =  ^,IDI"-,T-,A1,A1[I3\=^'Y  X;*,I?r,;T-,A1,A2[I3\=*'Y 

D  r,-,T;A1,A1®A2[I3]  =►  7 


I.H.  on  T> i  and  <5 
I.H.  on  T>2  and  £ 
0L  Rule  on  previous  lines 

Case: 


E;®,//D//,;r;A1)A1[/3]=^7 
D T;  A,, H2[/3]  ^7 
S;^,//D/'/;r;A1,H1©H2[/3]^7 


Z>  = 


V 

_  S,i3:interval;^,I  D  /",/3  D  *3;  T;  A,  Hi[i3]  =>  A2[h\ 


V-,*,IDI"-,r-,A=>A1^>A2[h] 


oR 


X,  z3 : i nterva I ;  /3  D 

X~\  :  ■  _  J _ _  I  .  ,Tr  Tf 


“J  wO  ,  -o  —  ^3  I  — 

S,  z3 :  i  nterva  I ;  ’ll,  I'  D  I",  /3  D  z3;  T;  A,  H] 
X:  H/.  I'  D  I":  T:  A 


^2  [*3] 


Weakening  Property  of  |=  on  £ 
I.H.  on  T>'  and  previous  line 
— o R  Rule  on  previous  line 


Case:  The  last  rule  in  T>  is  — oL,  and  T>  has  the  form: 


Pi  P2  P3 

Sj^JD/^rjA!  =>Ai[J4]  S;$,Pf>I3j/4  X;  J  D  Z"; T;  A2,  A2[J4]  =>  7 

S;^,7  D  /"jT;  Ai,  A2)A!  -o  A2[/3]  =►  7 


-oL 


£;®,Z'  D  /";r;  A3  =►  Ai[h] 
Z^,I'DI"[=I3DI4 
S;T,/7D/7/;r;A2,H2[/4]  ^7 
S;^,/,D/'/;r;A1,A2,H1^H2[/3]^7 


Case: 


I.H.  on  Pi  and  £ 
Lemma  1  on  P2  and  £ 
I.H.  on  P3  and  £ 
•L  Rule  on  previous  lines 


V  = 


V 

E;T,ID/";r;- 

£;T,/D/";r;- 


!A[/3] 


\R 
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£;  I'  D  T;  ■  =*  A[I3 }  I.H.  on  V  and  £ 

E;  T,  I'  D  T;  •  =>  !^4 [Z3]  !R  Rule  on  previous  line 


Case: 


V 

7,  =  S;$,J3J'/;r,A[J3|;Ai^7 

E;^,JD/,,;r;A1)!A[/3]=>7 

D  J";r,A[/3];  A4  ^7  I.H.  on  P'  and  £ 

E;  'I',  I'  D  T;  Ai,  !A[/3]  =>  7  !L  Rule  on  previous  line 

Case: 


V 

v  =  S,i3:interval;^,/  D  I",I3  D  i3;  T,  Ai[i3];  A  =>  A2[i3) 

V-,*,IDI"-,T-,A=>A1DA2[h] 


dR 


E,  z3 : i nterva I ;  I3  A  *3  |=  /  A  I' 

E,  z3 : i nterva I ;  \k,  R  A  I",I3  A  i3;  V,  Ai[i3];  A  =>  A2[i3] 
E;^,I,DIh-,T;A=^A1dA2[I3] 


Weakening  Property  of  |=  on  £ 
I.H.  on  T>'  and  previous  line 
DR  Rule  on  previous  line 


Case:  The  last  rule  in  T>  is  I)L,  and  V  has  the  form: 


Pi 


v2 


V3 


X^JDr'-Tr^Aiih]  E;T,7  A/"  ^=/3  A/4  E;  I  A  7";  T;  A4,  A2[74 


7 


AR 


E;^,7  D  I";T;Ai,Ai  A  A2[I3] 


7 


£;*,/' A, [J4] 

£;*,/' A  7"  \=I3DI4 

£;tf,7' A7";r;A1,A2[/4]=^7 
S;  I'  2  r;  A4,  Ai  D  A2[/3]  =►  7 

Case: 


I.H.  on  Pi  and  £ 
Lemma  1  on  T>2  and  £ 
I.H.  on  P3  and  £ 
DL  Rule  on  previous  lines 


V 

v=  S,o;$,I3/ff;r;A^A[/3] 
S;  T,  7  A  7";  T;  A  =>  Vx:s.A[/3] 


VR 


E,  x:s;  T  |=  I  A  7' 

£,®:s;tt,7' A7";r;A=*-A[73] 
E;  T,  I'  A  T;  A  ==>•  V®:s.A[/3] 
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Weakening  Property  of  |=  on  <5 
I.H.  on  P7  and  previous  line 
VR  Rule  on  previous  line 


Case: 


V  = 


Vl  V-2 

=  E;$1/D/";r;A1,[(/i]4/3]=^7 


V-,*,IDI"-,r-,A1,Vx:s.A[I3]=>'y 


\/L 


E;®,7'  D  /"jT;  Ai,[t/s]A[/3]  =^7  I.H.  on  V1  and  £ 

E;  H/,  /'  D  /"jT;  Ai,  Vx:s.H[73]  =>■  7  VL  Rule  on  previous  line  and  £>2 

Case: 


V 

r>=  S;^/g/w;r;A=>A[/3] 


@7? 


E;  ,  I'  D  7";  T;  A  =>•  A[73]  I.H.  on  2?'  and  5 

E;  VH,  I'  D  7";  T;  A  =>■  H  @  73[74]  @7?  Rule  on  previous  line 

Case: 


V 

T>=  E;tt,7D7";r;Ai,,4[73]  ^7 

E;^,7D7//;r;A1,H@73[74]  ^7 

S;  vH,  I'  D  7";r;  Ai,H[73]  =^>  7  I.H.  on  2?'  and  £ 

E;  '5, 1'  D  7";  T;  Ai,  A  @  73[74]  =>  7  @L  Rule  on  previous  line 

Case: 


V  =  . 


v 

S;fJD  7":  T;  A 


A[h] 


S;$,7J  7";  T;  A  =>  (A'  affirms  A)  at  73 


affirms 


E;  7'  D  7";  T;  A  =>  H[73]  I.H.  on  V  and  £ 

E;  ff',  I'  D  7";  T;  A  ( K  affirms  A)  at  I3  affirms  Rule  on  previous  line 

Case: 


V  = 


V 

S;f,7D  7";  T;  A  =>  (K  affirms  A)  at  73 
S;$,7D7";r;A^  <77)H[73] 


()7? 
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S;  'k,  /'  D  T;  A  =>•  (K  affirms  A)  at  I3  I.H.  on  V  and  £ 

E;  rk,  I '  D  I"]  T;  A  =>  (K)A[I3]  ()R  Rule  on  previous  line 

Case: 


V  = 


V\ 

E;®,/  D  I"-T;A1,A[I3]  =4>  (K  affirms  A)  at  J4 


V2 

|=/3  2/4 


E;  /  D  T;  Ai,  (AT)T[/3]  =*  (K  affirms  A)  at  /4 


<>£ 


E;  /'  D  F;  Ai,  T[/3]  =^>  (IF  affirms  A)  at  /4 
Ej^/'D/"  |=73D/4 

E;  /'  D  F;  Ai,  (iF)A[/3]  =^>  (K  affirms  A)  at  J4 
Case: 


FH.  on  T>  1  and  <F 
Lemma  1  on  P2  and  £ 
()L  Rule  on  previous  line 


V 

E  ;L/D/"M3^4 
E;tt,/D  ■=►/;,  DJ4[J5]  - 


S  |=/3D/4 

E^./'D/V^/sDI^] 


Lemma  1  on  "D7  and  £ 
DR  Rule  on  previous  line 


Case: 


V 

D  =  E;  <k,  I  D  I",  I3  D  /4;  T;  Ai  ==»  7 
E;^,/D  J,,;r;A1)/3D/4[/5]=>7 


DL 


E^J'D  J",J3  D/4;r;A1^7 

S;$,/'D/";r;A1,/3D/4[/5]^7 


Weakening  Property  of  |=  on  £ 
I.H.  on  V  and  £ 
DA  Rule  on  previous  line 

□ 


B.2.3  Subsumption  Proof 
Theorem  3. 

1.  If  E;  'k;  T;  A  =>-  A[I\  and  E;  <k  |=  I  D  T,  then  E;  VP;  T;  A  =^>  A[I']. 

2.  If  E;  T;  A  =►  (K  affirms  A)  at  /  and  E;$|=/D/',  then  E;  'k;  T;  A  =>•  (A'  affirms  A)  at  I'. 

Proof.  By  simultaneous  structural  induction  on  the  first  given  derivation,  V. 

Part  1: 
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Case: 


P  = 


V 

S;  ®  )=  I"  D  I 


m 


init 


S;  *5  I"  D  I'  Transitivity  Property  of  |=  on  P'  and  £ 

S;  T;  T;  P[/"]  =>  P[7']  init  Rule  on  previous  line 

Case: 


V 


copy 


E;tt;r^[7''];A,B[7'']=s-,4[7'] 
£;tf;r',5[7"];A=>  A[7'] 

Case: 


I.H.(l)  on  V'  and  £ 
copy  Rule  on  previous  line 


T>i  P  2 

r)  =  S;^;r;A1=>A1[7]  S;  ’P;  T;  A2  =>•  A2[I\ 

Sj^TjAi,  A2  ^Ai®,42[7] 


<g )R 


S^jTjAi  =*-Ai[7'] 
S;T;r;A2  =>  ^[P] 
E^jTjA^Aa^A^Aat/'] 


I.H.(l)  on  Pi  and  £ 
I.H.(l)  on  T>2  and  £ 
07?  Rule  on  previous  lines 


Case: 


V 

^  =  S;T;r;A1,P1[7//],P2[///]  ^  A[I\ 


0L 


S;  T;  Ai,  ^ [7"],  ^[7"]  =*,  A[7'] 


I.H.(l)  on  V  and  £ 
®L  Rule  on  previous  line 


Case: 


P  = _ 

EjtfjT;  •=►![/] 


IP 
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m 


1 R  Rule 


Case: 


V 

=  S;^;r;A!  =^[7] 

R;  Al5 1[Z"]  ^[Z] 


S;^;r;A  1,l[I"]=>A[If] 


Case: 


T>i  V  2 

T)  =  S;^;r;A=^A1[/]  S; g;  T;  A  =>  A2[I\ 

S;^;r;A=^  A1kA2[I\ 


&R 


S;^;r  ;A=^![/'] 
E;tf;r;A=>A2[7'] 
E;*;r;A=>  Ai&Aaf/'] 


Case: 


V 

r>= 

E;^;r;A1)S1&:JB2[7,,]=>A[7] 


Ej^rjA^&B^"]  =►  A[7'] 


Case: 


V 

v=  S;^;r;Ai,g2[r]  =^[7] 

E^rjAx^&T^/"]  =>A[7] 


Ej^rjAi.Si&SaH  =►  A[7'] 


I.H.(l)  on  £>'  and  £ 
1L  Rule  on  previous  line 


I.H.(l)  on  V\  and  £ 
I.H.(l)  on  T>2  and  £ 
kR  Rule  on  previous  lines 


I.H.(l)  on  V  and  £ 
kL  i  Rule  on  previous  line 


I.H.(l)  on  V'  and  £ 
kL2  Rule  on  previous  line 


Case: 
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T  R 


V  = _ 

S;^;r;A^T[/] 


S;v]/;r;A 


T  [/'] 


T  R  Rule 


Case: 


V  = 


V 

S;^:r;  A  = 


Ai[I\ 


E;  dl;  T:  A 


Ai  ©  A2  [I] 


eR  i 


S^rjA^^/'] 

E;  de  T;  A  =>  A\  0  A2  [!'} 


I.H.(l)  on  V  and  £ 
©i?i  Rule  on  previous  line 


Case: 


V  = 


V 

Elder:  A  = 


A2[I\ 


E;  dl;  T:  A 


A1®A2[I] 


©i?2 


S;d-;r;A  =>  A2[I'] 

E;  d';  T;  A  =>•  Ai  ©  A2  [!'} 


I.H.(l)  on  V'  and  £ 
©i?2  Rule  on  previous  line 


Case: 


T>\  T>  2 

T>  =  E;  d';  T;  Ai,Bi[I/r]  =>  A[I]  X-,V-,T-,AuB2[I"]=*A[I] 
S;  dr;  T;  A1;  B\  ©  B2{I"\  A\I] 


®L 


S;  d';  T;  Ai,Bi[I"]  =>  A[I'\ 

S  ;^;r;A1,B2[/"]=>A[/'] 

E;  d';  T;  A1;  i?!  ©  B-2[I"]  =>  A[I'] 

Case: 


I.H.(l)  on  V\  and  £ 
I.H.(l)  on  V2  and  £ 
©L  Rule  on  previous  lines 


V 

E,  ^interval;  d /  D  i-T;A,A1\i]^A2[i]  ^ 

E;  d1;  T;  A  =4-  A\  —o  A2[I] 

Lemma  2  on  V  and  £ 
R  Rule  on  previous  line 


E,  ^interval;  d1,/'  D  i;T;  A,  A\[i\  = =>  A2[i] 
S;  d';  T;  A  =>  A1  -o  A2  [/'] 
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Case: 


V  = 


Pi 


V2 

Bi[h }  E;^|=72D73 


V3 

E;®;r;A2,B2[/3]  A[I] 


E;  'I';  T;  A3,  A2,  B 


>1 


B2[h 


A[I\ 


oL 


S;  T;  A2,  R2[73]  =^>  A[7']  I.H.(l)  on  P3  and  £ 

^■Y-^l^2,B1-oB2[h]  =^A[I'] 

—°L  Rule  on  T>\ ,  P2,  and  previous  line 


Case: 


V  = 


v 

£;*;!>  =^[7] 
S;^;r  ;-=>!A![7] 


IR 


Case: 


V 

v  =  ^}T1BnA1  =>A[7] 

E;®;r,S[/,,];A1  =►  A[7']  I.H.(l)  on  P'  and  £ 

E;  4/;  T;  A3,  !7?[7"]  ==>  A  [7']  !L  Rule  on  previous  line 

Case: 


I.H.(l)  on  P'  and  £ 
!7?  Rule  on  previous  line 


P' 

j)  _  E,  ^interval;  T,  Ri  [i];  A  =>  A2[i] 

~~  E;  'I';  T;  A  =>  A\  D  A2[I] 


d7? 


S,  zrinterval;  R7,  Z'  D  ijT,  A  =>■  R2 [i]  Lemma  2  on  P7  and  £ 

E;  d';  T;  A  ==>  A\  D  ^42  [/']  Di?  Rule  on  previous  line 

Case: 


P  = 


Pi  v2 

_E;tf;iy  =J-Bi[73]  E;  |=  I2  D  73 


Vs 

S;  ’L;  T;  A3, 7?2[73]  A  [7] 


E;  d';  T;  Ai,  Pi  D  7?2[72 


R[7] 


DP 
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E^-,r-,A1,B2[I3}=^A[Il] 

E-,*-,r-,A1,B1DB2[I2]=>A[Ir\ 


I.H.(l)  on  D 3  and  £ 
I)L  Rule  on  V i,  V 2,  and  previous  line 


Case: 


V  = 


V 

E,  x:s\  \P;  T;  A  =>■  A[I\ 
S;^;r;A  =*  \/x:s.A[I] 


Vi? 


Weakening  Property  of  \=  on  £ 
I.H.(l)  on  V  and  previous  line 
Vi?  Rule  on  previous  line 

Case: 


E,  x:s;  *P  |=  I  D  I' 

E,  x:s]  'P;  T;  A  A[I'] 
E;  'P;  T;  A  =>  \/x:s.A[I'] 


V  = 


V\  V2 

E;  \P;  T;  A,  [t/x\B[I"\  =^>  A[I]  Eh  t:s 


E;  'P;  T;  A,  Vx:s.B[I"]  =^>  A[i] 


VL 


E;®;r;A,[i/s]5[/"]=>A[/'] 
E;^;r;  A,Vx:s.R[/"]  =>•  A[i'] 


I.H.(l)  on  V 1  and  <5 
VL  Rule  on  previous  line  and  V2 


Case: 


V  = 


V 

E;  VP;  T;  A  =>-  Ai[I" 


S;  'P;  T;  A 


@R 


E;  'P;  T;  A 


Ai  @  I"  [I’] 


@R  Rule  on  V 


Case: 


V 

r>= 

b@i3[i2]  =►  A[I] 


@L 


E;vp;r  ■Al,B[h]^A[I’} 
X;V-,T-,A1,B@I3[I2]=>A[I’] 


I.H.(l)  on  V  and  £ 
@L  Rule  on  previous  line 


Case: 
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Case: 


V 

_  S;  'I';  T;  A  ==>  ( K  affirms  A\  )  at  / 

S;^;r;A=>  (i$T)^i[/] 


()R 


S;^;r;A 

S;^;r;A 


(K  affirms  A\)  at  I' 
(K)Ai[I'] 


I.H.(2)  on  V  and  8 
()R  Rule  on  previous  line 


V  = 


V 

E;  |  =  I"  D  /'" 


S:^:r: 


/"D /'"[/] 


DR 


S;^;r;-  =^>  /"D /'"[/'] 

Case: 


DR  Rule  on  T>' 


V 

=  z-*,i2Di3-,r-)A1^A[i} 
S;'P;r;A1,/2D73[/4]^i[f]  “ 


xW,h  ^4;r;A!  =*A[/'] 

E^jriAj./jD/j^]  =>A[/'] 


Weakening  Property  of  |=  on  £ 
I.H.(l)  on  P7  and  previous  line 
DL  Rule  on  previous  line 


Part  2: 
Case: 


V 

^  =  E;  r',  R[/77];  A,  R[/"]  =^>  (RT  affirms  A)  at  I 

A  =>  (R  affirms  R)  at/ 


copy 


A,S[/W]  =►  (K  affirms  A)  at  I' 
S;^;r,,R[/,,]j;  A  =^>  (RT  affirms  R)  at  /' 

Case: 


I.H.(2)  on  and  X 
copy  Rule  on  previous  line 


V 

^  =  X-,V;T-,A1,B1[I"],B2[I"]  =>  (K  affirms  A)  at/ 
E;^;r;  Ai,Bi  <g>  B2[I")  =*>  (R  affirms  A)  at/ 


<g>R 
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E-,^-r-,A1,B1[I"},B2[I"]  =►  (AT  affirms  A)  at/' 
E-^-,T-A1,B10B2[I"}  =►  {K  affirms  A)  at  A 


I.H.(2)  on  D'  and  £ 
®L  Rule  on  previous  line 


Case: 


V 

_  E;  \I/;  T;  Ai  =>■  (K  affirms  A)  at  / 

S;^;T;  Ai,l[/"]  =>  (K  affirms  A)  at  I  1L 

E;  \I/;  T;  Ai  ==>■  (K  affirms  A)  at  I'  I.H.(2)  on  V  and  £ 

E;  \I/;  T;  Ai,  1  [I"]  =>■  ( K  affirms  A)  at  I'  1 L  Rule  on  previous  line 

Case: 


V 

v=  E;®;r;  Ax,  B^I"]  =►  (AT  affirms  A)  at/ 

E;  tit;  T;  Ai,  B\  &  B2[I"\  ==^  (AT  affirms  A)  at  I  ®  1 

E;  r;  Ai,  £?i [I"]  = ^  (K  affirms  A)  at  /'  I.H.(2)  on  P'  and  £ 

E;  \I/;  T;  Ai,  B\  &  B2[I"]  =$■  (K  affirms  A)  at  /'  Rule  on  previous  line 

Case: 


V 

v  =  S;  £;  r;  Ai,  B2[I"}  = =»  (AT  affirms  A)  at  / 

E;  tF;  T;  Ai,  Pi  &  P2[I//]  ==$■  (AT  affirms  A)  at  I  "  2 

E;  F;  Al,B2[I"]  = (AT  affirms  A)  at  /'  LH.(2)  on  P'  and  5 

E;  \I/;  T;  Ai,  B\  &  P2[P/]  =>  (AT  affirms  A)  at  I'  hL2  Rule  on  previous  line 

Case: 


Pi  V-2 

^  =  E;^;r;  Ai,Pi[I"]  =^>  (AT  affirms  A)  at  I  E;  T;  Ai,  B2[I"]  =$■  (AT  affirms  A)  at  /  r 

E;  d';  T;  Ai,  Pi  ®  P2[I//]  =>  (AT  affirms  A)  at/  ®L 


E;^;r;  Ai,Pi[I"]  =►  (K  affirms  A)  at  /' 
S;^;r;  Ai,P2[/"]  =^>  (A' affirms  A)  at  A 
S;^;r;  Ai,Pi  ®  P2[A']  =^-  (A"  affirms  A)  at  I' 
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LH.(2)  on  Pi  and  £ 
I.H.(2)  on  P 2  and 
©A  Rule  on  previous  lines 


Case: 


V  = 


E;^ 


'D  i  V2 

F-A  1=^B1[/3]  S;^|=/2D/3 


v3 

E;  -P;  r;  A2,  P2[/3]  =►  (A  affirms  A)  at  / 


E;  \P;  T;  Ai,  A2,  Pi  — o  A>2[/2]  =>■  (A  affirms  A)  at  / 


oL 


E;®;r;  A2,P2[/3]  =h  (A  affirms  A)  at/' 

Ej^jT;  Ai,A2,Si  -oS2[/2]  =>  (A' affirms  A)  at/' 


I.H.(2)  on  P3  and  £ 
A  Rule  on  Pi,  P2,  and  previous  line 


Case: 


P' 

^  =  S;  \P;  T,  £?[/"];  Ai  =*  (AT  affirms  A)  at/ 
E;  <P;  T;  Ai,  \B[I"]  =>  (A  affirms  A)  at  / 


\L 


E;®;r,S[/"];Ai  (A’  affirms  A)  at/' 

E;  'P;  F;  Ai,  \B[I"}  =►  (A  affirms  A)  at  /' 

Case: 


I.H.(2)  on  P'  and  £ 
!A  Rule  on  previous  line 


P  = 


Pi  P2 

E;tf;F;-=>  Bilh]  E;tf|=/2D/3 


v3 

S;  \R ;  T;  Ai,  P2[/3]  =^>  (A"  affirms  A)  at/ 


E;  \P;  T;  Ai,  />!  D  B2[h\  =►  (A  affirms  A)  at/ 


DA 


E;^;r;  Ai,A2[/3]  =>  (A  affirms  A)  at/'  LH.(2)  on  P3  and  £ 

E;  \I/;  T;  Ai,  B\  D  P2[/2]  (A’  affirms  A)  at  /'  DA  Rule  on  Pi,  P2,  and  previous  line 


Case: 


P  = 


£>i  P2 

_  E;  'P;  T;  A,  [t/x]B[/"]  =^>  (A  affirms  A)  at  /  Eh  As 


E;  <P;  T;  A,  Mx:s.B[I"]  = =>  (A  affirms  A)  at  / 


VA 


E;  r;  A,  [t/x]P[/"]  =^>  (A  affirms  A)  at  /'  I.H.(2)  on  P,  and  £ 

E;  rp;  T;  A,  Vx:s.P[/"]  (A"  affirms  A)  at  /'  VA  Rule  on  previous  line  and  P2 

Case: 


P' 


72  _  E;  'P;  T;  Ai,  £>[/->]  =>•  (A  affirms  A)  at  / 
E;^;r;  Alt5@/3[/2]  =4>  (A  affirms  A)  at/ 


@A 
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S;^;r;Ai  ,B[I3]  = =>  (A  affirms  A)  at  A 
E;®;r;  Ai,S@/3[/2]  (A  affirms  A)  at  I' 


I.H.(2)  on  V  and  £ 
@L  Rule  on  previous  line 


Case: 


Pi 


P  _  E;  'R ;  T;  Ai,  />[A]  =>•  ( K  affirms  A)  at  I 


V2 

S;  ®  N  A  A  I 


E;^;r;Ai,(if)B[/2]  =►  (A  affirms  A)  at/ 


<>A 


E;®;r;  Ai,5[/2]  =>  (A"  affirms  A)  at  A 
S;  T  |=  /2  A  A 

E;^;r;  Ai,(A)A[/2]  =^>  (A' affirms  A)  at  A 
Case: 


I.H.(2)  on  Pi  and  £ 
Transitivity  Property  of  |=  on  P 2  and  £ 
()L  Rule  on  previous  lines 


V 

r>=  E;T;r;A^A[/] 

E;  T;  T;  A  =>-  (A  affirms  A)  at  I  af  irms 

E;  T;  T;  A  ==>  A  [A]  I.H.(l)  on  V  and  £ 

E;  T;  T;  A  =>•  ( A  affirms  A)  at  A  affirms  Rule  on  previous  line 

Case: 


V 

E;  T,  I2  A  /3;  T;  Ai  =>  ( A  affirms  A)  at  / 

E;  T;  T;  Ai,  A  A  A  [A]  =>■  (A  affirms  A)  at  /  — 


E;T,A  a  I3  |=/ a  A 

E;  A  a  A;  T;  Ai  =^>  (A  affirms  A)  at  A 

E;T;r;  Ai,A  A  A  [A]  =A>  (Reaffirms  A)  at  A 


Weakening  Property  of  |=  on  £ 
I.H.(2)  on  T>'  and  previous  line 
AL  Rule  on  previous  line 


□ 


B.3  Admissibility  of  Cut 

Before  we  can  prove  the  admissibility  of  cut,  we  must  prove  a  few  lemmas. 
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B.3.1  Constraint  Cut  Lemma 


Lemma  3.  If  E;  |=  C  and  E;  d',  C\ T;  A  =>  7,  then  E;  d';  T;  A  =>  7. 
Proof.  By  structural  induction  on  the  second  given  derivation,  £. 

Case: 


£ 


£' 


S;  C;  T;  P[I\  ==>  P[I'] 


init 


E;  =>  I  D  V 

S;^;r;P[7]  =>P[7'] 

Case: 


Cut  Property  of  J=  on  D  and  S' 
init  Rule  on  previous  line 


£ 


£' 

S;^C;r/,A[7];A,A[J]  => 
S;^C;r',A[I];A=7  7 


7 


copy 


S;iI/;r',H[7];A,H[7]  ^7 
E;d/;rU[/];A=>7 

Case: 


I.H.  on  V  and  £' 
copy  Rule  on  previous  line 


£ 


£  <?2 
E;  C;  T;  Ax  Ai[I\  E;^,C;r;A22=7  7l2[J] 

E;  (7;  T;  Ai,  A2  A\  8>  ,A2[7] 


®R 


Ej^TjAx  =>Ax[7] 
E;tf;r;A2=>A2[7l 
E;  VH;  T;  Ax,  A2  =>  A\  8  v42 [7] 


I.H.  on  T>  and  £\ 
I.H.  on  D  and  <S2 
07?  Rule  on  previous  lines 


Case: 


£ 


£' 

E;d/,C;r;Ax,Hi[7],H2[7]=>7 
E;vh,C;r;Ax,Hi8H2[7]  =77  0 


E;tf;r;Ai,Ai[7])A2[7]=>7 
E;®;r;Ax,i4i  ®  A2[7]  =►  7 
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I.H.  on  V  and  £' 
®L  Rule  on  previous  line 


Case: 


£ 


£;^C;r; 


m 


1 R 


m 


1 R  Rule 


Case: 


£ 


£' 

£;*,C;r;  Ax 


7 


E;®,C';r;A1,l[i]  =^7 


1L 


E;*;^!  =>7 
£;*;r;A1,l[/]^7 


Case: 


I.H.  on  V  and  £' 
1 L  Rule  on  previous  line 


£ 


g  ^2 

E^C^A^  ^[7]  E;  d',  C;  T;  A  =>■  A2[7] 
E;^,C;r;A^  A!&A2[i] 


I.H.  on  D  and  £i 
I.H.  on  D  and  £ 2 
&7?  Rule  on  previous  lines 

Case: 


S;^;r;A  =^>Ai[I\ 
E;^;r;A^H2[I] 
E;*;r;A=>Ai&A2[7] 


£ 


£' 

E^C^Ax,^/]  =77 
E;^,C';r;A1,A1&A2[i]=>7  '  1 


E;®;r;A1,A1[i]=}-7 
E^jTjAi.Ai&Aati]  =>7 


I.H.  on  D  and  £' 
SzL\  Rule  on  previous  line 


Case: 


£' 

=  £;fr,C;r;A1,A2[J]=>7 

£;*,C';r;A1,A1&A2[7l  =>7  2 
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E;tf;r;A1,42[7]=>7 

E-^T;A1,A1kA2[I] 


7 


I.H.  on  V  and  £' 
&iL2  Rule  on  previous  line 


Case: 


£ 


E;tf,C7;r;A=>T[i] 


T  R 


S;^;r;A 


T[/] 


T R  Rule 


Case: 


£ 


£' 

Ej^CjI^A^  Ai©A2[i] 


©Ri 


S;^;r;A  =>Ai[i] 
£;®;r;A=>  Ai®  A2[7] 


I.H.  on  £>  and  5' 
©i?i  Rule  on  previous  line 


Case: 


£ 


£' 

S;^,C;r;A^  A2[J] 
E;^,C;r;A=^  Ai®  A2[/] 


©r2 


£;tf;r;A=>  A2[i] 
£;*;r;A=>  A1@A2[I] 


I.H.  on  V  and  £' 
©i?2  Rule  on  previous  line 


Case: 


Si  £2 

f  =  E^,C-T-a!1A1[I}=^1  £;fr,C';r;Ai2,A2[J]  ^7 

E;®,C';r;A1,A1©A2[i]=>7 


E;®;r;A1,A1[7]=}-7 
E;®;r;A1,A2[7]=}-7 
E;  T;  Ai,  Ai  ®  A2[J]  =►  7 


I.H.  on  T>  and  £\ 
I.H.  on  D  and  £2 
®L  Rule  on  previous  lines 


Case: 
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s  = 


£' 

_  E, ^interval;  XV.C,  I  D  i\  T;  A,  Ai[i\  ==>  H2[z] 


E;  'I',  C:  T;  A 


A] 


■Mi] 


oR 


E,  i: interval;  \k,  I  D  i  |=  C 

E,  i:  interval;  4 >,I  D  %\  T;  A,  A\  [i]  =>■  A2[i\ 

E;^;r;A  =^A1^A2[I\ 

Case: 


Weakening  Property  of  |=  on  T> 
I.H.  on  previous  line  and  S' 
— o R  Rule  on  previous  line 


£ 


Si  £2  £?> 

E;\k,C;r;  Ax  =>  Ai[I'}  E;$,C^13J'  E;  %  C;  T;  A2,  A2[I'\  =7-  7 

E-^,C-r]A1,A2,A1^>A2[I}  ^7 


Ej^TjAi  =>  Ax[J'] 

E;  |=  I  D  I' 

S;vk;r;A2,A2[P]=^7 

E;  ;  T;  Ai,  A2,  Ai  -o  A2[2]  =>  7 

Case: 


I.H.  on  T>  and  £\ 
Cut  Property  of  |=  on  V  and  £2 
I.H.  on  D  and  £3 
— o L  Rule  on  previous  lines 


£' 

E;vk,C;r;-=^H[I] 
E;vk,C;r;-^!H[7]  M 


S;  T;  •  ==$■  A[I\ 
S;^;r  ;-=>!A[i] 


I.H.  on  D  and  £' 
\R  Rule  on  previous  line 


Case: 


£ 


£' 

S;^,C;r,A[J];  Ax  =»  7 
E;vk,C;r;A1,!H[/]=^7  L 


S; 'k;  T,  ^4[7];  Ax  =>7 
S;  vk;  T;  Ax,  \A[I]  =>■  7 


I.H.  on  X>  and  X' 
\L  Rule  on  previous  line 


Case: 


£ 


£' 

E,  *:  interval;  <k,  C,  I  A  *;  T,  -Ai[*];  A  =>  H2[i] 


E;  'k,  C:  T;  A 


A1dA2[I] 


dR 
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Weakening  Property  of  |=  on  T> 
I.H.  on  previous  line  and  £' 
Di?  Rule  on  previous  line 


X,  i: interval;  \k,  I  D  i  |=  C 

X,  z:interval;  T,  A  =>•  A2\i] 

E-,^-T-A^A1dA2[I] 

Case: 


^  =  X;fr,C;r; 


^1  ^2  ^3 

^  Ai  [/']  X;vk,C|i/DR  X^^A^f/'] 


7 


X;$1C;r;All41DA2[J]=^7 


dl 


X;  ®  (=  I  D  /' 
X;^;r;A1,A2[/,]=j-7 
XjtfjrjAi.AiDAafl  = 


7 


I.H.  on  T>  and  £\ 
Cut  Property  of  |=  on  T>  and  £2 
I.H.  on  D  and  £3 
I)L  Rule  on  previous  lines 


Case: 


£ 


£' 

X,  x:s;  *k,  C;  T;  A  ==>  A[I\ 
X;^,C;r;A  =*►  Mx:s.A[I] 


MR 


Weakening  Property  of  |=  on  T> 
I.H.  on  previous  line  and  £' 
MR  Rule  on  previous  line 

Case: 


X,  x:s;  \k  |=  C 

X,  x:s;  *k;  T;  A  =£>  A[I\ 

X;^;r;  A  =►  Mx:s.A[I] 


£  = 


£1  £2 

=  X;®,C;r;Ai,[t/4A[/|  =*-7  Xht:s 


X;^,C;r;Ai,Vx:s.H[I]  ^7 


ML 


X;^;r;A1,[i/s]A[J]=>7 

X;  \k;  T;  Ai,  Vx:s.H[/]  =^7 


I.H.  on  T>  and  £\ 
ML  Rule  on  previous  line  and  £2 


Case: 


£ 


£' 


X;  'k,  C;  T;  A  =>■  A[I] 

X;  \k,  (7;  T;  A  =^>  A  @  I[I'] 


@R 


X;  'k;  T;  A  ==>  A[I\ 

X;  'k;  T;  A  =>  A  @  I[I'] 
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I.H.  on  V  and  £' 
@R  Rule  on  previous  line 


Case: 


£ 


£' 

^,C]T-Al,A[I]=P1 


@L 


£;^;r;A1,4/]^7 

=>7 

Case: 


I.H.  on  V  and  £' 
@L  Rule  on  previous  line 


£' 

s=  S;^,C;r;A=>A[J] 

£;  ,  C;  T;  A  =7  (K  affirms  A)  at  /  at  irmS 

£;  \I7;  T;  A  =>  A[J]  I.H.  on  2?  and  S' 

£;  de  T;  A  =>  ( K  affirms  A)  at  I  affirms  Rule  on  previous  line 

Case: 


Case: 


£' 


F  =  £;  ,  C\  T;  A  ==>  (K  affirms  A)  at  I 
S;^,C;r;A  =>{K)A[r\ 


()R 


£;*;r;A 

S;^/;r;A 


(. K  affirms  A)  at  I 

(K)A[I) 


I.H.  on  V  and  £' 
OR  Rule  on  previous  line 


£\ 


£2 


£  = 


_  £;  ,  C;  T;  AUA[I]  = =>  (K  affirms  B)  at  I'  £;  C  \=  I  D  I' 


T,-,^,C-T-,A1,(K)A[I]  =>  (K  affirms  B)  at  I' 


0  L 


AUA[I]  =►  (K  affirms  B)  at/' 
S;$l=/D/' 

£;  \I/;  T;  Ai,  (K)A[I]  =►  (RT  affirms  S)  at  /' 
Case: 


I.H.  on  D  and  d’1 
Cut  Property  of  \=  on  D  and  £2 
()R  Rule  on  previous  lines 


5 


£' 

S;f,C^7DI' 


S;^,c;r; 


ID  I'll" 


DR 
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Cut  Property  of  |=  on  V  and  £' 
D R  Rule  on  previous  line 


E;  <k  [=  I  D  V 

=►  ID /'[/"] 


Case: 


5 


£' 

£;j/,C,n/';r;A1^7 

ID /'[/"]=►  7  “ 


E;f,/D  I'  |=  C 
E;$,7Dl;r;A1=>7 
E;$;r;A1)/D/'[f]^7 

□ 


Weakening  Property  of  |=  on  D 
I.H.  on  previous  line  and  £' 
DL  Rule  on  previous  line 


B.3.2  Substitution  Lemma 

Lemma  4.  If  E,  x:s;  T;  A  =^>  7  and  E  h  t:s,  then  S;  [t/x]\k;  \t/x)T]  [t/x]A  =7  [t/xjy. 
Proof.  By  structural  induction  on  the  given  derivation. 

Case: 


V 

_  E,  x:s;  \k  |=  I  D  /' 

'  _E,x:S;vk;r;P[/]  =>  P[I']  mit 

E;  [f/x]\k  |=  [t/x](I  D  /')  Substitution  Property  of  |=  on  V 

E;  [f/x]\k;  [t/x]r;  [t/x\(P[I])  ==>  [t/x](P[I7])  init  Rule  and  definition  of  substitution 

on  previous  line 


Case: 


V  = 


V 

£,x:s;4/;rU[J];A,A[J]  =^7 
S,  x:s\  *k;  rr,  -A  [I];  A  =7  7 


copy 


E;  [t/x]^>;  [t/x](r',  A[/]);  [t/x\(A,  A[I])  = =>  [t/x] 7  I.H.  on  D' 

E;  [t/xjvk;  [t/xj(r/,  A[I]);  [t/x] A  =7  [t/x]7  copy  Rule  and  definition  of  substitution 

on  previous  line 


Case: 
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T>i  V-2 

p  =  S,.x:g;^;r;  Aj  =7>  AX\I\  E,  x:s;  T;  A2  =7-  A2[I\ 

T,, x:s;®;T;  Ai,  A2  = =>  A{  ®  A2[I] 

E;  [t/x]®;  [t/x] T;  [t/x]  Ai  =7  [t/x] (Hi  [I] ) 

E;  [t/xj'P;  [t/x]r;  [t/x]A2  =7  [t/x](A2[I]) 

E;  [t/x]^;  [i/xjr;  [t/x](Ai,  A2)  =7  [t/x\(Ai  <g>H2[J]) 


Case: 


V 

X>  =  x:s;®;T;  Ax,  A^I],  A2[I]  =4-7 

S,x:s;^;r;  Ai,^4i  <g>H2[J]  =7  7 

E;  [t/x]®-,  [i t/x]T ;  [t/x](Ai,Hi[/],H2[/])  =7  [i/xft  I.H.  on  D' 

E;  [f/xj'I';  [t/xjr;  [t/x](Ai,  A)  0  H2[/])  =7  [f/x]7  <8)7/  Rule  and  definition  of  substitution 

on  previous  line 


I.H.  on  £>i 
I.H.  on  T>2 
0i?  Rule  and  definition  of 
substitution  on  previous  lines 


Case: 


V  = _ 

E,  x:s;  ^ ;  T ;  •  =7  1[J] 


1 R 


E;  [t/x]®;  [t/x]T;-  =7  [t/x] (![/]) 


1 R  Rule  and  definition  of  substitution 
on  previous  line 


Case: 


V 

X>  =  E,x:s;^;T;  Ai  =7  7 

S,  x:s;  ’H;  T;  Ai,  1[7]  =7  7  1L 

E;  [t/x]®-,  \t/x]Y;  [t/x]Ai  =7  [t/x]  7  I.H.  on  V 

E;  [t/x]®;  [t/x]T;  [t/x]{A\,  1[7])  =7  [t/x]7  1L  Rule  and  definition  of  substitution 

on  previous  line 


Case: 


Vi  V  2 

P  _  S,x:s;^;r;A  =7  Ai[I]  'E,x:s;®;T;  A  =7  A2[I] 

E,  x:s;  de  T;  A  =7  A\  &  H2[7] 


&R 
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£;  [t/x]®;  [t/x]Y;  [t/x] A  =>  [t/x]  (Hr  [7]) 

E;  [t/x]®-,  [ t/x]T ;  [t/x] A  =>  [t / x](A2[I\) 

E;  [t/x ]\l>;  [t/xjr;  [t/x]A  =>  [t/x](Ai  k  A2[I ]) 


I.H.  on  Vi 
I.H.  on  T>2 

kR  Rule  and  definition  of  substitution 
on  previous  lines 


Case: 


V 

=  E,x:a;^;r;  Ai,Ai[J]  =>7 

V,x:s-m-T-Al,A1kA2[I}^1  1 


E;  [t/x]®:  [t/x] T;  [t/x](Ai,  Ai[I])  =$■  [t/x] 7  I.H.  on  V 

E;  [t/x]\l/;  [t/xjT;  [t/x](Ai,  A\  k  H2[7])  ==>  [t/x] 7  kL\  Rule  and  definition  of  substitution 

on  previous  line 


Case: 


V 

v  =  E,x:s;^;T;  AUA2[I]  7 

H,x:s;®:T;Al,AlkA2[I]=^1  2 

T,;[t/x]®;[t/x]T;[t/x](Ai,A2[I])  =>  [t/x] 7  I.H.  on  V' 

E;  [t/x]\l/;  [t/xjr;  [t/xj(Ai,  A\  k  H2[7])  ==$■  [t/x] 7  kL2  Rule  and  definition  of  substitution 

on  previous  line 


Case: 


V  =  . 


E,x:s;  VH;!";  A  =$>  T[7] 


T  R 


E;  [t/x]®-,  [ t/x]T ;  [t/x] A  =>-  [t/x](T[7]) 


T R  Rule  and  definition  of  substitution 

on  previous  line 


Case: 


V 


P  =  E,x:s;^;T;  A  =>  A-j[I] 

E,x:s;'I';r;  A  =>  Hi  0H2[7] 


07?r 


E;  [t/x] ^ ;  [t/x]T ;  [t/x] A  =>■  [t/x](Hi[7]) 

E;  [t/x]®;  [t/xjr;  [t/x] A  ==>  [t/x] (Hr  0  A2[I]) 
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I.H.  on  V 

07?i  Rule  and  definition  of  substitution 

on  previous  line 


Case: 


V 

T)=  S,x:.s;^;r;  A  =»  A2[I\ 

S,®:s;^;r;A=>  A1  ®  A2[I]  ®  2 

E;  [t/x]^;  [t/x\T]  [t/x\ A  ==>  [t/x\(A2[I])  I.H.  on  V 

E;  [t/x]^;  [t/x\T]  [t/x\ A  =7  [t/x](vli  ©  H2[/])  ®i?2  Rale  and  definition  of  substitution 

on  previous  line 


Case: 


T>i  V  2 

v  =  S,x:s;^;T;  A1,Ai[I]  = 7-  7  E,  x:s]  T;  Aj,  A2[I]  =7-  7 

E,s:a;^;r;Ai,A1®A2[i]=>7  ® 


E;  [t/x}^:  [; t/x]T ;  [t/x](Ai, Hi[I])  =7>  [i/^7  I-H.  on  £>i 

E;  [t/xj'I';  [t/xjr;  [t/x](A1,  A2[I])  = =7  [f/x]7  I.H.  on  X>2 

E;  [i/x]\I/;  [t/x]r;  [f/x](Ai,  A\  ©  [t/x\ 7  ©L  Rule  and  definition  of  substitution 

on  previous  lines 


Case: 


V  = 


v 

_  E,  x:s,  ^interval;  I  D  i\  T;  A,  A\  [i]  =7>  A2[i\ 


E,  x:s ;  d';  T;  A 


A, 


•Mi] 


oR 


E,  ^interval;  [t/x\(^,I  D  i);  [t/x\T]  [t/x\(A,  A\  [z])  =7  [t/x](yl2[i])  I.H.  on  previous  line 

and  V 

E,  zrinterval;  [ t/x\ [t/x\I  D  r,  [f/xjT;  [t/x]A,  [i/x]yli[i]  =>■  [f/x]H2[i]  Definition  of 

substitution  and  i  is  fresh 

E;  [i/x]\I/;  [t/x\T]  [t/x] A  ==>  [t/x\(Ai  —oA2[I})  —oR  Rule  and  definition  of  substitution 

on  previous  line 


Case: 


Vi 

p  =  E,x:s;  Aj  =>•  Ai[I'} 


T)  2  R3 

|=7  D  I'  S,  x:s;  4-;  T;  A2,  A2[/'] 


7 


E,x:s;^;r;  Ai,  A2,Hi  -o  A2[I]  =>  7 


dL 
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£;  [t/x]\ V;  [f/x]T;  [t/x]  A\  =7  [t/x]{A\  [/'])  I.H.  on  V\ 

S;  [t/x]  it;  [t/x\T  \=  [t/x\{I  I')  Substitution  Property  of  |=  on  V2 

£;  [ t/x ]^;  [t/x]T-,  [t/x](A2,  A2[I'])  =7  [t/x] 7  I.H.  on  r>3 

S;  [t/x^;  [t/x]T;  [t/x](Ai,  A2,  A\  -<>  A2[I])  = =7  [t/xjy  Rule  and  definition  of 

substitution  on  previous  lines 

Case: 


V 

v  =  =7  A[I] 

S,x:s;^;r;-  =>  \A[I]  K 

E;  [t/x]\I/;  [t/x]T;  •  =7  [t/x](H[/])  I.H.  on  V 

E;  [t/x]\I/;  [t/x]r;  •  =7  [t/x](!H[/])  \R  Rule  and  definition  of  substitution 

on  previous  line 


Case: 


V 

v  =  S,x:s;^;r,H[/];  Aj  =7>  7 
H,x:s;^;r;  Ai, \A[I]  =77 


\L 


E;  [t/x]^;  [t/x](r,H[/]);  [t/x]A3  =7  [t/x] 7  I.H.  on  V 

E;  [t/x]'!';  [t/xjT;  [t/x](Ai,  =7  [t/x]7  \L  Rule  and  definition  of  substitution 

on  previous  line 


Case: 


V 

p  _  E,  x:s,  z: i nterva I ;  /  D  *;  T,  Hi[zJ;  A  =7  A2[i] 

S,x:s;^;r;A  =7  A,  D  A2[I\ 


DR 


E,  /interval;  [t/x](d',I  D  i);  [t/x](r,  A\  [z]);  [t/x]A  =7  [t/x](H2[f])  I.H.  on  V 

E, /interval;  [t/x]’!',  [t/x]/  D  i\  [t/x]T,  [t/x]Hi  [zjj;  [t/x] A  =7  [t/x]yl2 [/] 

Definition  of  substitution  and  i  is  fresh 
E;  [t/x]'!';  [f/x]T;  [t/x]A  =7  [t/x](Hi  D  ^[I])  D/?  Rule  and 

definition  of  substitution  on  previous  line 


Case: 


V  = 


V\ 

_E,x:s;tf;r;-  A^I'] 


'E>2 

E,  x:s;  ^  \=  I  D  /'  E,  x:s;  \E';  T;  Ai,  A2[I'] 


7 


E,x:s;^;r;  Ai,Hi  D  A2[I]  =^>7 


D.L 
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£;  [t/x]T;  [ t/x\T ;  •  =*►  [t/x\{Ai[I']) 

E;  [t/ x]V  |=  [t/x](I  D  /') 

E;  [t/x]^>;  [ t/x]T ;  [t/x](Ai,  A2[I'])  = =>  [t/x\ 7 
E;  [f/x]^;  [t/x]T;  [t/x](Ai,yli  D  A2[I])  =>  [t/x]7 


I.H.  on  Pi 

Substitution  Property  of  |=  on  P2 

I.H.  on  P 3 

I)L  Rule  and  definition  of  substitution 
on  previous  lines 


Case: 


P  = 


V 

E,  x:s,  x':s VR;  T;  A  ==>  A[I\ 
E,x:s;T;T;A  Vx,:s,.^[7] 


Vi? 


E ,x':s';  [f/x]’!';  [t/x]T;  [t/x\ A  ==>  [t/x](H[i])  I.H.  on  P'  and  x'  is  fresh 

E;  [f/x]\I/;  [i/x]T;  [f/x]A  =>  [t/x\(Mx':s' .A[I])  MR  Rule  and  definition  of  substitution 

on  previous  line 

Case:  There  are  two  cases  for  the  VL  rule.  The  substituted  term  may  be  x  or  it  may  not  be. 

Subcase: 


V  = 


Pi  V-2 

_  E,  x:s;  T;  T;  Ai,  [x/x']yl[i]  ==>  7  E,  x:s  h  x:s 


E,  x:s\  T;  T;  Ai,  \/x':s.A[I\  ==>  7 


VL 


E;  [t/x]T;  [t/x]T;  [t/x](Ai,  [x/x']H[i])  =*>  [t/x]7 
E;  [f/x]T;  [t/x]F;  [f/xj(Ai,  [f/x']H[/])  =7>  [t/x] 7 

E;  [f/x]T;  [t/x]T;  [t/x](Ai,  Vxhs.Hfi])  =>■  [t/x]7 

Subcase: 


I.H.  on  Pi 
Definition  of  substitution 
on  previous  line 
ML  Rule  on  previous  line 


P  = 


Pi 

_  S,  x:s;  T;T;  Ai,  [t'/x']A[I]  = =>  7 


V-2 
E,  x:s  h 


S,x:s;  tH;  T;  Ai, Mx':s' .A[I]  =>  7 


VL 


E  b  tbs' 

E;  [t/x]T;  [t/x]T;  [f/x](Ai,  [f'/x'^i])  =>■  [t/x] 7 
E;  [t/x]T;  [t/x] T ;  [f/x](Ai,  Vx'is'.Hfi])  ==>  [t/x]7 


I.H.  on  Pi 
VL  Rule  on  previous  lines 


Case: 


P  = 


P' 


E,  x:s;  VR;  T;  A  =>■  H[i] 

E,  x:s;  T;  T;  A  =7-  A  @  I[I'] 


@R 
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£;  [t/x\y;  [t/x]T;  [t/x] A  =>  [t/x\(A[I]) 

X;  [t/x]'!';  [t/x]T;  [t/x] A  =>  [t/x\(A  @  /[/']) 


I.H.  on  P' 

@i?  Rule  and  definition  of  substitution 

on  previous  line 


Case: 


V 

S,  x:s]  'I';  T;  Aj,  A[I]  = 7-  7 
X,  x:s;  ;  T;  Ai,  A  @  I[I']  =7>  7  & 


X;  [f/x]\I/;  [t/x]T;  [f/x](Ai,  H[I])  [t/x]7  I.H.  on  V 

X;  [f/x]\I/;  [t / x] r ;  [t/x](Ai,  A  @  /[/'])  ==>■  [t/x]7  @L  Rule  and  definition  of  substitution 

on  previous  line 


Case: 


P  = 


V 

X,  x:s; '!';  T;  A  =^>  A[I\ 

X,  x:s; '!';  T;  A  =>■  ( K  affirms  A)  at  I 


affirms 


X;  [f/x]’!';  [t/x]T;  [f/x]A  =>■  [t/x](H[/])  I.H.  on  V 

X;  [f/x]\I/;  [t/x]T;  [t/x] A  =>  [t/x]((K  affirms  A)  at  I)  affirms  Rule  and  definition  of 

substitution  on  previous  line 


Case: 


V 

X,  x:s;  \R;  T;  A  ==>  ( K  affirms  A)  at  / 
X,  x:s; '!';  T;  A  =7  {K)A[I\ 


0  R 


X;  [f/x]'!';  [t/x]T;  [t/x]  A  =>  [t/x]((K  affirms  A)  at  I) 
£;  [t/x]^;  [t/x]  I1;  [t/x] A  =^>  [t/x]((/v)H[I]) 


I.H.  on  2?' 

() R  Rule  and  definition  of  substitution 

on  previous  line 


Case: 


Pi 


P2 


P  = 


_  £,x:s;  Ai,B[J]  =7>  (K  affirms  A)  at /'  X,x:s;tf  |  =  /  D  /' 


H,x:s;^;r;  Ai,  (RT)P[7]  =*>  (RT  affirms  A)  at  P 


<>£ 
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E;  \t/x]'$f\  \t/x\T, ;  [t/x\ (Ai,  B[I])  =>-  [t/x]((K  affirms  A)  at  /')  I.H.  on  V \ 

E;  [t/x]^  |=  [t/x](I  A  /')  Substitution  Property  of  |=  on  T>2 

E;  [t/x]^;  [t/x\T]  [t/x](Ai,  ( K)B[I ])  =>  [t/x\((K  affirms  A)  at/')  ()L  Rule  and 

definition  of  substitution  on  previous  lines 


Case: 


V  = 


V 

E,.r:s;^  |=  /  A  /' 


=>  /  A  /'[/"] 


E;  [t/x}^>  |=  [t/x](/  A  /')  Substitution  Property  of  (=  on  V 

E;  [f /x] d' ;  [f/xjT;  •  =>■  [t/x\(I  A  /'[/"])  A/?  Rule  and  definition  of  substitution 

on  previous  line 


Case: 


V 

D  =  S,x:s;^,7  A  /';P;  Aj  =>  7 

E^^^jrjAi./D  /'[/"]  ^7 


DL 


E;  [f/x](\I/,/  A  /');  [i/x]T;  [t/x]Ai  =^>  [f/x]7  I.H.  on  D' 

E;  [f/rr]’!';  [t/x\T]  [t/x](Ai,/  A  /'[/"])  =>  [f/xjy  AL  Rule  and  definition  of  substitution 

on  previous  line 

□ 


B.3.3  Admissibility  of  Cut  Proof 
Theorem  1. 

1.  If  E;  T;  A  =>  A[I\  and  E;  T;  A',  A[I\  =>  7,  then  E;  'I';  T;  A',  A  =>  7. 

2.  If  E;  T;  •  =*  A[/]  and  E;  ;  T,  A[I];  A'  =7>  7,  then  S;  T;  A'  =^>  7. 

3.  If  E;  T;  A  =>  (AaffirmsA)atJ  and  S;  'P;  T;  A',  A[/]  =*  (K affirmsB)at/'  and  E;  |=  /  A  /', 

then  E;  T;  A',  A  ==>  ( K  affirms  B)  at  /'. 

Proof.  By  simultaneous  induction.  Part  1  is  proven  by  nested  induction  on  the  size  of  the  cut 
formula,  A,  and  on  the  size  of  the  given  derivations.  Part  2  is  proven  by  structural  induction  on 
the  second  given  derivation,  where  we  may  appeal  to  part  1  even  on  larger  derivations.  Part  3  is 
proven  by  structural  induction  on  the  first  given  derivation. 

Part  1: 

Case:  Initial  Cut 
Subcase: 
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£' 


g  _  E;  \E'  |=  I  D  I'  ( P  atomic) 


E;tt;r;P[il=>P[J'] 


i  n  it 


£;*;r;A  = 

Case:  Principal  Cuts 
Subcase: 


P[P] 


Theorem  3  on  P  and  £' 


T>i  V  2 

r)  =  S;^;r;A1=^>l1[J]  S;T;T;A2  =>  A2[I] 

S;  T;  T;  Ai,  A2  =>  Ai  <g)  A2[/] 

and 


£ 


£' 

X-,*-,T-,A',A1[I],A2[I]=>'Y 

S;tf;r;A',Ai®A2[2l  =>7  0 


S;T;T;  A',Ai,A2[/]  ^7  I.H.(l)  on  A1?  Pi,  and  £' 

E;  T;  T;  A',  Ai,  A2  =>  7  I.H.(l)  on  A2,  P2,  and  previous  line 

Subcase: 


P  = 


and 


IP 


£' 


g=  Ss^rjA7 


7 


E;tf;r;A',l[i]  =>7 


1L 


S;T;r;A',- 

Subcase: 


7 


£' 


Pi  P2 

7-)  _  S;  T;  T;  A  =>■  A\ [I]  E;  tf;  T;  A  =>  A2[I] 

E;T;r;A=^  Ai&A2[7] 

and 


£' 

=  S;T;r;A/,A1[I]=»7 

E;^;r;A,!A1&A2[i]=>7  1 


E;  T:  T:  A',  A 


7 


I.H.(l)  on  Ai,  Pi,  and  £' 
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Subcase: 


T>i  V  2 

7-)  _  S;  'I';  T;  A  =>■  A\[I]  E;  * ;  T;  A  =>  A2[I] 

E;^;r;A=7  Ai&A2[i] 

and 


£' 

=  S;^;r;A^,A2[/]^7 

S;^;r;A,!A1&:A2[i]=>7  2 


T;  A',  A  =>■  7 

Subcase: 


I.H.(l)  on  A-2,  V2,  and  £' 


v=  S;'i’;r;AP^>t1[/] 

E;*;r;A=>  Ai®^2[J]  1 

and 

£ 

^  =  S;d/;r;A^,A1[/]  ^»7  E;  T;  A',  A2[I]  =7  7 

E;tf;r;A,,A1©A2[i]=>7 

S;  d';  T;  A',  A  =>■  7  I.H.(l)  on  Ai,  V,  and  £\ 

Subcase: 


E;*;r;A=>  A1<S>A2[I\  ®  2 
and 

£  £^ 

f  =  Z-,y-r-,A'XlI]  =77  =47 

E;tf;r;A,,A1©A2[i]=>7 

S;  d';  T;  A',  A  =>■  7  I.H.(l)  on  A2,  P7,  and  £2 

Subcase: 


P  = 


V 

_  E,  v. interval;  d',  /  D  i;  T;  A,  Ai  [*]  =7  A2 [z] 


E:  d':  T;  A 


Ai 


^2[/] 


and 
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7 


£  = 


Si 


£2  £3 

Ai[/']  E;tf|=IDJ'  E;tf;r;A'2,i2[J'] 


S;  T;  A'1;  A'2,  A\  — °  ^42[/]  ==^  7 


—oL 


^■[V /i]^J  ^i)-[I' /i]T-[I' /i]{\AM 

^,I^I/-T-A,A1[I'}=^A2[Ii] 

^■,T;A,A1[If]=^A2[If] 

^■^;T-A,A'1^A2[I'} 

S;^;r;A',A,A'^7 


[/'/i](A2[i])  Lemma  4  011  P' 

Definition  of  Substitution  and  i  is  fresh 

on  previous  line 
Lemma  3  on  £2  and  previous  line 
I.H.(l)  on  Ai,  £\,  and  previous  line 
I.H.(l)  on  A 2,  previous  line,  and  £3 


Subcase: 


V 


V  = 


Ei^T; 


M  [T\ 


s;^;r; 

and 


'■Mi\ 


\R 


£ 


£’ 

E;4/;r,A1[/];A'^7 

x-,*]r]A',iAi[r\=>'Y  ' 


S;^;r;  A' 


7 


I.H.(2)  on  Ai,  V,  and  £’ 


Subcase: 


V  = 


V 

_  E,  ^interval;  f,D:;  T,  A 


A 


2  * 


S;d/;r;A 

and 


Ai  D  A2[I\ 


DR 


Si  S2  S3 

f  =  E;fr;r  ■■^A1[I/]  g^TpA '2A2[P] 

S;^;r;A,,A1DA2[i]=^7 


dl 

Lemma  4  on  D' 


s;  A  z);  [/'/*] (r.Arli]);  [/'/*]  A  =>  [/7*](A2[*]) 

Definition  of  Substitution  and  i  is  fresh  on  previous  line 
E;  db  r,  Ai  [/,] ;  A  =>■  ^[i7]  Lemma  3  on  £2  and  previous  line 

E;  d^r;  A  =>  A2[I']  I.H.(2)  on  A\ ,  £1,  and  previous  line 

E;  4/;  T;  A',  A  7  I.H.(l)  on  A2,  previous  line,  and  £3 


Subcase: 


V  = 


V' 

_  E,  x:s\  4/;  T;  A  =>-  A\[I\ 


E;  d';  T;  A  =>■  yx:s.Ai[I] 


\/R 
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and 


£l  g 

f  =  Z^:r;A/,[t/1x\A1[I}  ^7  g  Mg  vr 
E;tf;r;A',V®:s.Ai[.T|  =>  7  VL 


Sjd'jT;  A  [i/x]Ai[/]  Lemma  4  on  £2  and  V 

E;  \H;  T;  A',  A  =>  7  I.H.(l)  on  [t/x\A\,  previous  line,  and  £\ 

Subcase: 


V  = 


V 

...  E;tf;r;A=>  A^/'] 


£  = 

S;  ’L;  T;  A',  A  =$■  7 

Subcase: 


S;^;r;  A  =>  Ai  @ /'[/] 
and 

£' 

...  E;tf;r;A',A1[I']=s-7 


E;tf;r;  A',  AiOJ'fl  ^7 


@L 


I.H.(l)  on  Ai,  V ,  and  £' 


P  = 


V 

_  E;  4';  T;  A  =>■  (K  affirms  Ai)  at  I 


S;4/;r;A 

and 


{K)A\  [/] 


()R 


£ 1  £2 

^  =  E;  'L;  T;  A',  Ai  [/]  =►  (K  affirms  5)  at  /'  E;  |=  I  D  I ' 

E;  'L;  T;  A',  {K)A1  [I]  =^>  (I<  affirms  B)  at  I' 


0  L 


E;  r;  A',  A  =*  (K  affirms  B)  at  I' 
Subcase: 


I.H.(3)  on  Ai,  T>' ,  £1,  and  £2 


V 


v=  S;  4/  |  =  I'D  I » 


E;4/;r;- 

and 


I'  e  /"[/] 


DR 


£ 


£' 

S;f,JAf;r;A^7 

E;$;r;A'/,3f[J]=>7  “ 


E;  'L;  T;  A' 


7 


Lemma  3  on  V  and  £’ 
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Case:  Left  Commutative  Cuts 


Subcase: 


V  = 


V 

_E;*;r',5[I'];A,5[/']=>A[7] 


copy 


Subcase: 


V 

T>  =  ^T-,A1,B1[I,],B2[r]  =*A[I) 

^■^;T;A1,B1^B2[I,}=^A[I} 

E;tf;r;A',A1,B1[J'],B2[J']=*7 

=^7 

Subcase: 


V 

T>=  S;^;r;A  1=>A[I\ 

S;  L;  Ax,  1  [X']  =►  A[7] 

S;^;r;A',A1^7 

E;tf;r;A/,A1)l[J/]=>7 

Subcase: 


V 

T>=  S;^;r;A u  B^I']  =*  A[I\ 

X;*;r;A1,B1kB2[I']=>A[I\ 

E;®;r;A/,A1,S1[//]=>7 
S;^;r;  A',  Ai,^!  &  ^2^]  ^  T 

Subcase: 


V 

v=  S;^;r;A  UB2[I']^A[I] 
S;^;r;A  1,B1kB2[I'\^A[I\ 

E;®;r;A,,A1)S2[/,]=^7 
S;^;r;A',A1,S1&52[/']  ^7 


I.H.(l)  on  A.  D',  and  <5 
copy  Rule  on  previous  line 


I.H.(l)  on  A,  V1,  and  £ 
®L  Rule  on  previous  line 


I.H.(l)  on  A,  V' ,  and  £ 
1 L  Rule  on  previous  line 


I.H.(l)  on  A.  T>\  and  £ 
SzL\  Rule  on  previous  line 


I.H.(l)  on  A.  T>' ,  and  £ 
SzL2  Rule  on  previous  line 
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Subcase: 


V\  V  2 

^  =  S;^;r;A1,i?1[//]  =>A[I\  S;  g;  T;  A1;  =>•  A[7] 

E;*;r;Ai,PieP2[I']  ^A[7] 


©L 


I.H.(l)  on  A,  Pi,  and  <5 
I.H.(l)  on  A,  P2,  and  £ 
©L  Rule  on  previous  lines 

Subcase: 


E;tf;r;A,,A1)JB1[J,]=>7 
E;®;r;A/,A1,S2[//]=>7 
S;^;r;A',A1,P1®P2[//]  ^7 


P  = 


Pi 

E;tf;r;Ai  = 


P2 

Bi[J"]  2;®!=/'  D/" 


V3 

S;*;r;A2,P2[/"]  =^A[J] 


E;  tf;  T;  Ai,  A2,  Bi  S2[/']  =>A[i] 


=L 


E;®;r;A,,A2)S2[/,,]=^7  I.H.(l)  on  A,  P3,  and  £ 

E;  \l/;  T;  Ai,  A',  A2,  Pi  — o  P2 [/']  =7  7  -^>L  Rule  on  Pi,  P2,  and  previous  line 


Subcase: 


V 

T>  =  E;^;r,P[PI;Ai  =7  A[I] 

E;*;r;Ai,!B[/']  =*A[i]  ^ 

Weakening  on  £ 
I.H.(l)  on  A,  V ,  and  previous  line 
\L  Rule  on  previous  line 

Subcase: 


E;*;r,P[/'];A',A[J]=^7 
E;^;r,P[/'];A',Ai^7 
E;  T;  A',  Ai,  =$■  7 


Pi 


r>  =  S;^;r;-=»Pi[//< 


P2 

S;f  |=/A  I" 


V3 

S;^;r;Ai,P2[P']=^A[I] 


E;^;r;Ai,SiDS2[//]  =>A[i] 


dl 


S;^;r;A',Ai,P2[/"]^7 

E;®;r;A,,Ai,SiDS2[/,]=>7 

Subcase: 


I.H.(l)  on  A,  P3,  and  £ 
I)L  Rule  on  Pi,  P2,  and  previous  line 


P  = 


_  S;  R/;r;  A, 


Pi 

[*/<W] 


A[/] 


P2 

E  |=  i:s 


E;  d';  T;  Ai,  Vx:s.P[/']  =►  A[J] 


E;  T;  A',  Ai,  \t/x\B[I']  ==>■  7 
E;  r;  A',  Ax,  Vx:s.P[L]  7 


VL 

I.H.(l)  on  A,  Pi,  and  £ 
VL  Rule  on  previous  line  and  P2 
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Subcase: 


V  = 


V 

__  X;T;r;A  1:B[I']^A[I\ 


X;T;T;  A i,B@I'[I"}  = =>  A[I } 


S;^;r;A 

£;T;T;  A\Ai,B@r[I"]  = 


7 


Subcase: 


@L 


I.H.(l)  on  A.  T>' ,  and  8 
@L  Rule  on  previous  line 


V  = 


V 

S; /'  D  I"]  T;  A\  =7-  A[I] 


X;  T;  T;  Ai,  /'  D  I" [I" 


D  I";T;A',A[I\ 
£;T,/'  D  I";T-,A',A1  = 
£;  T;  T;  A',  Ai,  /'  D  I" [I" 

Case:  Right  Commutative  Cuts 

Subcase: 


7 


7 


m 


DL 

Weakening  on  8 
I.H.(l)  on  A,  V' ,  and  previous  line 
AL  Rule  on  previous  line 


S' 

£  =  copy 

X;T;T',R[/'];  A',A,R[/']  ^>7  I.H.(l)  on  A,  V,  and  S' 

X;  T;  T',  £>[/'];  A',  A  7  copy  Rule  on  previous  line 

Subcase:  The  last  inference  of  8  is  the  ®R  rule.  There  are  two  subsubcases;  the  resource 
A[I]  may  be  sent  to  the  derivation  of  the  left  premise,  or  it  may  be  sent  to  the  derivation 
of  the  right  premise. 

Subsubcase: 


81  82 

^  =  £;*;r;A [,  A[I\  B^I']  S;  T;  T;  A'  =>  B2[I'} 

X;  * ;  T;  A;,  A'2,A[I\  =>  Bl  ®  S2[J'] 

Sj^jTjA^A  =►  B\ [/']  I.H.(l)  on  ,4,  V,  and  £1 

X;  T;  T;  A'l5  A,  A2  =t  B\  (g>  B2[I'}  ®R  Rule  on  previous  line  and  82 

Subsubcase: 


8 


81  82 

X;T;r;A [  B^I'j  X;  T;  T;  A',  A[I]  =>  R2[T] 

Xj^rjAi.A^AIi]  =*Bi®B2[/'] 


60 


I.H.(l)  on  A.  V,  and  £2 
®R  Rule  on  £\  and  previous  line 


E;tf;r;A'2,A=>52[/'] 

S;  T;  T;  A[,  A'2,  A  =>■  B\  ®  B2[I'} 

Subcase: 


£' 

r  =  X-*-,r-A'1,B1[I'],B2[I/],A[I}  =»7 
E;®;r;A,1,B1®B2[/,],A[i]=j-7  0 

E;^;r;  A,1,5i[/,],B2[/,])  A  =^7  I.H.(l)  on  A,  V,  and  £' 

E;  H/;  T;  A^,  B\  (g)  A  ==>  7  (g)L  Rule  on  previous  line 

Note:  There  is  no  case  here  for  the  1R  rule.  This  rule  requires  the  linear  context  in  the 
conclusion  to  be  empty.  But,  the  derivation  £  must  have  the  cut  formula  A[I]  as  an 
assumption  in  the  linear  context.  So,  it  is  impossible  for  £  to  end  with  the  1R  rule. 

Subcase: 


£ 


£’ 

E;^;r;A;,^[/] 
E;^;r;A,1,l[/,])A[i]  =>7 


1 L 


I.H.(l)  on  A.  T>,  and  £' 
1 L  Rule  on  previous  line 

Subcase: 


E;tf;r;A/1,A=}-7 

S;T;r;A'1,l[/'],A^7 


Si  £2 

S  =  S;  r;  A',  A[I }  =»  Bi  [!’}  E;  ;  T;  A',  A[I }  =»  B2  \P] 

Z-,*;r-,A,,A[I\=>B1kB2[I'] 

S;^;r;A  t,A=>B1[Ir} 

E;  T;  T;  A',  A  B2[I'] 

S;T;r;A ',  A  =►  Bi  &  S2[/'] 

Subcase: 

£’ 

S=  E;T;r;A;,R1[T],A[/]=>7 

E;^;r;A'1,JB1&JB2[I'],A[/]=77&  1 

E;  T;  T;  A': ,  Ri [/'] ,  A  =>  7  I.H.(l)  on  A,  V,  and  £' 

E;  Hi;  T;  A'l5  B\  &  B2[/'],  A  ==>  7  SzL\  Rule  on  previous  line 

Subcase: 


I.H.(l)  on  A.  V,  and  £\ 
I.H.(l)  on  A.  V,  and  £2 
SzR  Rule  on  previous  lines 


£ 


£' 

E;T;r;A;,R2[T],4/]=^7 
E;^;r;A,1,B1&:B2[J'],A[i]=^7  2 


61 


E;tf;r;A',.B2[/'],A=>7 

E;®;r;A,1,B1&B2[J,],A=>7 


I.H.(l)  on  A.  T>,  and  £' 
&L2  Rule  on  previous  line 


Subcase: 


£ 


E;tt;r;A',A[i]  =►  T[J'] 


Ti? 


E;tf;r;A',A=s-T[J'] 

Subcase: 


T R  Rule 


5 


£' 

E;^;r;A f ,  A[I]  ^  B^I'] 


©i?l 


S;^;r;  A',  A  =►  Ri  [/']  I.H.(l)  on  R,  P,  and  £’ 

S;  d';  T;  A',  A  =*>  B\  ©  B2 [I']  ©i?i  Rule  on  previous  line 

Subcase: 


£ 


£' 

E-,^T-,A',A[I}^  B2[If] 
E;^;r;A ' ,  A[I\  B1  ®  B2[I'} 


©i?2 


S;  d';  T;  A',  A  B2[I'] 

^■,^-,t-a,,a^b1®b2[i'] 

Subcase: 


I.H.(l)  on  A,  T>,  and  £' 
®R2  Rule  on  previous  line 


£\  £2 

£  =  Ei^iT1A^Rih1A[J[^7  E;  'k;  T;  A'x,  B2[I'],  A[I]  ==^  7 

E;^;r;A,1,JB1®B2[/'],A[i]=^7 


E;  Vf;  T;  A'x ,  £?!  [I’} ,  A  =>  7 
E;  T;  A'x ,  R2  [/'] ,  A  =>  7 
E;$;r;A'1)B1®B2[/,])A^7 


Subcase: 


I.H.(l)  on  A,  V,  and  £\ 
I.H.(l)  on  A,  V,  and  £2 
®L  Rule  on  previous  lines 


£ 


£' 

S,i':interval;tf,  J'  D  i';T;  A1 ,  A[I],  Bi  [i'\  =^>  B2[i') 


S;  d';  T;  A',  A[I\ 


B 1 


B2II'] 


oR 


E, i':interval;  (k, /'  D  i'jT;  A  =7  A[I]  Weakening  on  V 

E,  i'linterval;  'k,  I'  D  i'\  T;  A',  A,  Bi[i']  = =>•  B2[i']  I.H.(l)  on  A,  previous  line,  and  £' 

E;  ;  r ;  A',  A  =>■  B\  — o  B2[I'}  — o R  Rule  on  previous  line 
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Subcase:  The  last  inference  of  8  is  the  —°L  rule.  There  are  two  subsubcases;  the  resource 
A[I]  may  be  sent  to  the  derivation  of  the  left  premise,  or  it  may  be  sent  to  the  derivation 
of  the  right  premise. 

Subsubcase: 


8 1  82  83 

^■  =  S;T;r;A A[I]  ^  B^I"}  S;tt|  =  I' D  I”  S;  T;  A',  B2[I"]  =>  7 

E;*;r;A',A',R1^R2[/'],A[I]^7 

S;T;r;  A;,  A  =>  £,[/"]  I.H.(l)  on  A,  V,  and  8, 

E^TjA'^A  ,A'2,B1^>B2[I'}  =>  7  —°L  Rule  on  previous  line,  82,  and  83 

Subsubcase: 


8 1  82  83 

^  =  S;^;r;A '=^[7"]  E;T|  =  I' D  I"  E;  T;  A',  A[I],  B2[I"}  =>  7 
S;  T;  T;  A',,  A',  5,  -  B2[I'],  A[I]  ^7 

S;T;r;  A'2,A,R2[7"]  ^>7  I.H.(l)  on  A,  V,  and  83 

E;  T;  T;  A^,  A2,  iR  — °  B2[I'],  A  ==>  7  — oL  Rule  on  8\ ,  £12  5  and  previous  line 

Note:  There  is  no  case  here  for  the  IR  rule.  This  rule  requires  the  linear  context  in  the 
conclusion  to  be  empty.  But,  the  derivation  8  must  have  the  cut  formula  A[I]  as  an 
assumption  in  the  linear  context.  So,  it  is  impossible  for  8  to  end  with  the  IR  rule. 

Subcase: 


8' 

^  =  S;T;r,R[/l;A/1,R[J]=7-7 
E;tf;r;A',!£[/'],A[i]  =>7  L 

Weakening  on  T> 
I.H.(l)  on  A,  previous  line,  and  8' 
\L  rule  on  previous  line 

Subcase: 


E;*;r,  £[/'];  A  =>A[7] 

E;tf;r,JB[7'];A',A=>7 

E;®;T;A,1,!S[/,],A=}-7 


8 


8 ' 

E,  ^interval;  T,  I’  D  i’\  T,  B\ [*'];  A',  A[I\  = =>  B2[i'} 
E;  T;  T;  A',  A[I]  =>  B\  D  B2[I'] 


I)R 


E, ihinterval;  T,  I'  D  i'\  T,  RiJi'J;  A  ==>  A[I]  Weakening  on  V 

E,  interval;  T,  I'  D  i'-  T,  Riji7];  A',  A  =>•  B2[i']  I.H.(l)  on  A,  previous  line,  and  8' 

E;  T;  T;  A',  A  =>  B\  D  B2 [/']  DR  Rule  on  previous  line 

Subcase: 


8  = 


81  82 

E;®;T;- =>Si[/"]  E;  ®  |=  I'  D  /" 


£3 

S;T;r;A A[J],S2[/" 


7 


E;f;r;A'51DB2[/'],i[/]^7 


dR 
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'I';  T;  Aj ,  A,  i?2 [I"\  =>  7 
E;®;r;A,1,JB1DJB2[/,],A=>7 


I.H.(l)  on  A.  P,  and  £3 
DL  Rule  on  £\ ,  £2  and  previous  line 


Subcase: 


£' 

F  =  E,  x:s;  T;  A',  A[J]  =►  £[/'] 
E;  T;  A',  A[I\  =>  Vx:s.P[/'] 

S,  x:s;  T;  A  =>  A[7] 

S,x:s;^;r;A',A  =►  B[7'] 

E;®;r;  A',  A  =>■  Vx:s.R[7'] 

Subcase: 


Weakening  on  P 
I.H.(l)  on  A ,  P,  and  £' 
MR  Rule  on  previous  line 


£ 


g 1  g 

E;tf;r;A',V*:*.JB[7'],A[7]=>7 


S;^;r;  Ai,[t/x]5[/'],  A  =►  7  I.H.(l)  on  A,  V,  and  £1 

E;  4/;  T;  A'1;  \/x:s.B[Ir],  A  =>  7  VL  Rule  on  previous  line  and  £2 

Subcase: 


£' 

S;  *&;r;  A',  A[J]  =>£[/'] 

E;  ;  T;  A',  A[7]  =7  B  @  I'[I "]  A< 

I.H.(l)  on  A,  P,  and  £' 
@R  Rule  on  previous  line 

Subcase: 


E;  VH;  T;  A7,  A  =>  B[I'} 
E;®;!1;  A7,  A  =►  B@I'[I"] 


£ 


£' 

g^IYA 'llB\I%A\I\^j_ 
E;tf;r;A'1,B@7'[7"],A[7l=s>7 


@L 


E;®;r;A/1,JB[//],A=>7 
E;^;r;  A[,B@I'[I"],A  =77 

Subcase: 


I.H.(l)  on  A,  P,  and  £' 
@L  Rule  on  previous  line 


£ 


£' 

E;  r;  A',  A[7]  =^>  (K  affirms  B)  at  I' 


()R 


E;  T;  A',  A  =^>  (77  affirms  B)  at  I' 
Z-V-,r-A',A^{K)B[I'} 
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I.H.(l)  on  A,  P,  and  S' 
()7?  Rule  on  previous  line 


Subcase: 


£  = 


£1 

_  £;  tfjTjAi, £[/'],  A[i]  (K  affirms D)  at/" 


£2 

£;  ®  )=  /'  D  I" 


A'1;  (//)£[/'],  A[/]  =►  (K  affirms  P>)  at  /" 


()L 


S;^;r;  Ai,B[/'],  A  =7>  (it:  affirms  £>)  at/"  I.H.(l)  on  A,  Z>,  and  £, 

E;  H/;  T;  A^,  (K)B[I'],  A  ==>■  (//  affirms  D )  at  I"  ()L  Rule  on  previous  line  and  £2 

Subcase: 


5 


£' 

S;d/;r;A  f,A[I\=*B[I'] 

E;  T;  A',  A[/]  =7  (A'  affirms  A)  at  /' 


affirms 


E;  T;  A',  A  =7>  B[I'\  I.H.(l)  on  A,  V,  and  S' 

E;  T;  T;  A',  A  =>  (K  affirms  B)  at  I'  affirms  Rule  on  previous  line 

Note:  There  is  no  case  here  for  the  DR  rule.  This  rule  requires  the  linear  context  in  the 
conclusion  to  be  empty.  But,  the  derivation  £  must  have  the  cut  formula  A[I]  as  an 
assumption  in  the  linear  context.  So,  it  is  impossible  for  £  to  end  with  the  DR  rule. 

Subcase: 


£' 

F=  H;$,/'3/";r;Al,i[/]^7 
£;  *;  T;  A'1;  /'  D  /"[/'"],  A[I\  =^7  “ 

S;  T,  I'  D  /";  T;  A  =7  A[I\  Weakening  on  V 

E;  T,  /'  D  /";  T;  A( ,  A  ==>•  7  I.H.(l)  on  A,  previous  line,  and  £' 

E;  H/;  T;  A^,  V  D  I" [I"'],  A  =7  7  DL  Rule  on  previous  line 

This  ends  the  proof  of  Part  1. 

Part  2: 

Case:  Initial  Cut 
Subcase: 


S' 

c  _  E;  T  \=  I'  D  I"  (P  atomic) 

“£;T;r,A[/];P[/']^P[/"]  mit 

E;  T;  P;  P[I']  =7-  P[I "]  init  Rule  on  £' 

Case:  Copy  Cut 
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Subcase: 


£ 


S' 

E^-,r,Ain-,A',A[I]  =» 
E;tf;I\A[I];A'=i-7 


7 


copy 


E;tf;r;A',A[il=>7 

S;v]/;r;A/^7 


I.H.(2)  on  T>  and  S' 
I.H.(l)  on  R,  V,  and  previous  line 


Case:  Right  Commutative  Cuts 


Subcase: 


£ 


£' 

S;vh;r,R[//],R[/];A^,R[//]=7  7 
E;*;r',.B[I'],A[i];A'=*7 


copy 


£[/'];  A',  £[/']=►  7 
S;^;r',R[/'];A'^7 

Subcase: 


I.H.(2)  on  V  and  £' 
copy  Rule  on  previous  line 


£ 


£\  So 

S;  r,  All}- a;  =>  B1[I/]  £;  fr;  R  Ajlf,  A'2  =>  B2[If] 


®R 


I.H.(2)  on  D  and  £\ 
I.H.(2)  on  D  and  82 
®R  Rule  on  previous  lines 

Subcase: 


Sjd'jT;  Ai  =>  Bi[I'] 
E;$;r;A'^B2[/'] 
E^jTjAi.A'a  ^Bl®B2[I'} 


S' 

F  =  E-,*-,T,A[I]-,A'1,B1[I'],B2[I']^'y 

E;®;r,A[il;A'1,JB1(gS2[/']=>7  0 

I.H.(2)  on  D  and  S' 
®L  Rule  on  previous  line 

Subcase: 


£;tf;r;A'1,JB1[/'],B2[J']=>7 


5 


£;tf;r,A[2];  ■=*►![/'] 


1R 


m 


1R  Rule 
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Subcase: 


S' 


£= 


![/']=►  7 


1 L 


E;®;r;A,1=>7 
E;^;r;  A',  ![!']  = 


7 


Subcase: 


£i 


E;  tfjT;  A' 
S;^;r;  A' 
E;  tfjT;  A' 


B2[I'] 

B1&B2[I'} 


Subcase: 


S' 


S;^;r;A',JB1[/']=^7 


7 


Subcase: 


£  = 


E;tf;r;A'1,B2[/']=>7 


7 


Subcase: 


7 


E;tf;r,A[i];A'1,JB1&£2[J/]=>7 


S' 

E;^;r,A[il;A/1,52[7/]=}-7 


E;tf;r,A[I];A'1,JB1&£2[J']=>7 


&L2 


I.H.(2)  on  T>  and  £’ 
1L  Rule  on  previous  line 


F  =  s;  g;  r,  a/  =7  b-^i']  s;  r,  A[/];  a'  =t>  g^r] 


I.H.(2)  on  D  and  £\ 
I.H.(2)  on  D  and  £2 
SzR  Rule  on  previous  lines 


&Li 


I.H.(2)  on  V  and  £' 
&Li  Rule  on  previous  line 


I.H.(2)  on  V  and  £' 
£lL2  Rule  on  previous  line 


£  =  . 


S;  lH;  T,  A[I];  A'  =$■  T[/'] 


T  R 


E;^;r;  A' 


T[/'] 


T R  Rule 


Subcase: 
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£ 


£' 

E;vfr;r,,4[J];A'^  £?![!'] 


©i?l 


Ej^TjA'  =>  B1®  B2  [/'] 

Subcase: 


I.H.(2)  on  V  and  S' 
©i?i  Rule  on  previous  line 


£ 


£; 


£’ 

£;$;r,yl[ll;A^fi2[Jl 


©i?2 


E^j^A'^Sat/'] 

E^j^A'^SieBat/'] 


I.H.(2)  on  P  and  £7 
©i?2  Rule  on  previous  line 


Subcase: 


g  g 

f  _  ;  r ,  -A[/];  Ai,Bi[I']  ==>  7  S;tt;r,A[I];A',B2[J7]  =>7 

E;v]/;r,A[/];A'1,R1©JB2[/']^7 


E;\E';r;A71,B1[/7]^7 

S;^;r;A'1,JB2[//]=^7 

E;®;r;A,1,B1^B2[/,]=j-7 

Subcase: 


I.H.(2)  on  V  and  £\ 
I.H.(2)  on  D  and  £2 
@L  Rule  on  previous  lines 


£  = 


& 

_  E,i':interval;®,  J7  D  i';  T,  A[IJ;  A',  B^i']  = =7  B2[i7] 


E,  i7:interval;  T,  I'  D  i7;  T ;  •  =7  A[I] 

E,  ihinterval;  ik,  I'  D  T;  A',  Ri[i']  =►  B2[i'] 
Ej^rjA'^Bi^Bat/'] 


Weakening  on  T> 
I.H.(2)  on  previous  line  and  £' 
— o R  Rule  on  previous  line 


Subcase:  The  last  rule  of  V  is  —°L,  and  T>  has  the  form: 

£\  £2  £3 

S;  T  ==>  I'  A  I"  E;  T;  T,  Ajlf,  A7 ,  B2[I"}  =7-  7 

S;^;r,^[/];A7,A7,B1^B2[/7]^7 


oL 


S;T;r;A7 


►  Bi  in 
S;T;r;A7,B2[/77]  =^7 


7 


I.H.(2)  on  D  and  £\ 
I.H.(2)  on  D  and  £3 
oL  Rule  on  hrst  line,  £2,  and  second  line 


Subcase: 


68 


£' 

E;*;r,A[i];.=*!B[J']  M 

I.H.(2)  on  V  and  £' 
\R  Rule  on  previous  line 

Subcase: 


£;*;  IV  =►£[/'] 
£;*;  IV  =►!£[/'] 


£' 

r  =  'Z-,*]r,AlI},BlI'};A’1=*'y 
E;^;r,A[i];A/1)!S[J/]=»7  L 

Weakening  on  T> 
I.H.(2)  on  previous  line  and  £’ 
\L  Rule  on  previous  line 

Subcase: 


S;^;r  ,£[/'];■  =>A[7] 
E;®;r,JB[//];A/1=>7 

E;*;!^,  !£[/']=*►  7 


£  = 


£’ 

=  £,  ^interval;  'k,  I'  D  T,  A [7],  Bx  [*'];  A'  =►  52[*'] 


E;$;r,il[/];A'^B1DB2[/'] 


dR 


E,  ^interval;  \k,  I'  D  T,  B1  [i'];  •  =>  A[I\ 

E,  z'rinterval;  'k,  I'  D  T,  Rip'];  A'  =^>  B2[i'} 

>Bl^B2[I'} 


E;  'I';  T;  A' 


Weakening  on  T> 
I.H.(2)  on  previous  line  and  £' 
I)R  Rule  on  previous  line 


Subcase: 


£\ 


£2 


£  = 


E;^/"D/'  S;  *;  I\  Aflf,  A[,  B2[I"}  =>  7 


E;$;rid[/];A',B1DB2[7']^7 


dr 


e;\i>;IV  ^r^j"] 
E;vI/;r;A'1,JB2[I"]=^7 

Subcase: 


I.H.(2)  on  D  and  £\ 
I.H.(2)  on  T>  and  £3 
Rule  on  first  line,  £2,  and  second  line 


£' 

F=  E,  z:s;  tt;r,,4|[/];  A' =»R[J'] 
£;tf;r,A[i];A'  =>Vz:s.R[I'] 

E,  x:s;  'k;  T;  •  ==>  A[I\ 

E,  x:s;  'k;  T;  A'  =^>  B[I'] 

E;^;r;  A'  =>•  \/x:s.B[I'] 
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Weakening  on  V> 
I.H.(2)  on  V,  and  £' 
MR  Rule  on  previous  line 


Subcase: 


£ 


£\  £2 

E;vP;r,A[J];A',Vx]R[A]  ^7  S  Mi f  vr 
E;®;r,A[il;Ai,V*:s.5[/']=}-7 


S;  ^;T;  A',  [i/x]S[//]  =>  7  I.H.(2)  on  2?  and  £x 

E;  de  T;  A [,\/x:s.B[I']  =>  7  VA  Rule  on  previous  line  and  £2 

Subcase: 


£' 

S=  S;tt;r,A[J];  A' =»£?[/'] 
E;^;r,A[2];  A'  =7  A  @ 

S;^;r;  A'  =7  B[I') 

S;^;r;  A'  =7  B@I'[I"] 

Subcase: 


I.H.(2)  on  V  and  £' 
@R  Rule  on  previous  line 


£' 

S=  S;tt;r,,4|[/];  A', £?[/']=»  7 
S;d/;r,^[/];A'1,JB@/'[/"]^>7 

S;^;r;  Ai,B[/']  =>7  I.H.(2)  on  X>  and  £' 

E;  \P;  T;  A'1;  B  @  =7  7  @A  Rule  on  previous  line 

Subcase: 


£ 


£' 

E;  'P;  T,  A[I];  A'  =7>  (A'  affirms  B)  at  I' 
E;vP;r,A[/];A'=7><A)A[/'] 


()A 


E;  r;  A'  =7  ( K  affirms  B)  at  I' 
E;  T;  A'  =7  {K)B[I'] 

Subcase: 


I.H.(2)  on  V  and  S' 
()R  Rule  on  previous  line 


£  = 


£1 

_  S;  \P;  T,  A{I\;  A[,B[I']  =7>  (K  affirms  D)  at  /" 


£2 

E;  |=  /'  D  I" 


S^RA^A^AT)^/']  =7  (A'  affirms  D)  at  I" 


0  L 


Ej'RRA [,B[I']  = =7  (A  affirms  A)  at  A'  I.H.(2)  on  V  and  £\ 

E;  \P;  T;  A^,  (K)B[I' ]  =7  (K  affirms  D )  at  I"  ()L  Rule  on  previous  line  and  £2 


Subcase: 
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8 


E;T;r,Ll[/];A'  =^B[I'] 
E;tf;I\  A{If,  A'  =^>  (I<  affirms  B)  at  I' 


affirms 


E;  T;  A'  =^>  B[I'}  I.H.(2)  on  V  and  S' 

E;  T;  T;  A'  =>■  ( K  affirms  B)  at  I'  affirms  Rule  on  previous  line 

Subcase: 


8  = 


8' 

E;  T  \=  /'  D  I" 


Subcase: 


I'  D  /"[/'"] 


R  D  /"[/ 


//rrwi  - 


DR 


DR  Rule  on  £' 


8' 

E;'F,/'D7";r,A[/]^7 
E;$;r,4/];A',I'Df[I"H7  “ 

Weakening  on  T> 
I.H.(2)  on  previous  line  and  8' 
DR  Rule  on  previous  line 

This  ends  the  proof  of  Part  2. 

Part  3: 

Case:  “Initial”  Cut 
Subcase: 


E;  T,  /'  D  I";T;  •  =^>  A[/] 
E;tf,J'D  J";r;A'1=S-7 
E;$;r;A',/'DfH^7 


V 

T>=  E;M/;r;A  =^[7] 

E;  T;  T;  A  =>  (K  affirms  A)  at  / 

E;  T;  T;  A',  A  =^>  ( K  affirms  B)  at  I' 

Case:  Left  Commutative  Cuts 

Subcase: 


affirms 


I.H.(l)  on  A.  T>' ,  and  8 


V 

^  =  E;  ;  C,  Dll"};  A,  £>[/"]  =>  (K  affirms  A)  at  I 
E;^;T',R)[/"];  A  =D  (K  affirms  A)  at  I 


copy 


E;  T;  C,  R>[/"];  A',  A,  D[I"]  =>•  (K  affirms  B)  at  I' 
E;  H/;  T',  DJI7'];  A',  A  =^>  (K  affirms  B)  at  I' 


I.H.(3)  on  A.  V' ,  8,  and  T 
copy  Rule  on  previous  line 


Subcase: 


V 

^  =  E^I^Ai,  Ai[A'],  A2[A']  =>  (K  affirms  A)  at  I 

T^FA^D^D^F]  =4-  (K  affirms  A)  at  I  &L 

S;^;r;  A',  Ai,  Dill"],  D2[I")  =^>  (AT  affirms  B)  at  A  I.H.(3)  on  A,  V ,  S,  and  A 

E;  T;  T;  A' ,  Ai,  Di  <g>  D2II'']  =>  ( I\  affirms  B )  at  A  <g )L  Rule  on  previous  line 

Subcase: 


V 

j)  _  E; T;  Ai  =>  (A' affirms  A)  at  / 

E;  T;  T;  Ai,  1  IF]  (A  affirms  A)  at  I  1L 

E;  T;  A',  Ai  =>  (AT  affirms  B)  at  A  I.H.(3)  on  A,  V ,  S,  and  T 

E;  T;  T;  A',  Ai,  1  [A']  (A"  affirms  A)  at  A  1A  Rule  on  previous  line 

Subcase: 


V 

T)=  EjtfjT;  Ai,DilF]  =►  (A  affirms  A)  at  I 

E;^;r;  A^Di  &  A>2[A']  =>  (AT  affirms  A)  at  I  &Ll 

E;^;r;  A',  Ai,  £>i[A']  =►  (A"  affirms  B)  at  I'  I.H.(3)  on  A,  V ,  £,  and  T 

E;  T;  T;  A! ,  Ai,  Di  &  D2II"]  ==>  ( K  affirms  A)  at  A  &Ai  Rule  on  previous  line 

Subcase: 


V 

T)=  E;^;r;  Ai,  A2[A']  =>•  (A  affirms  A)  at  I 

E;  d';  T;  Ai,  Ai  &  A>2[A']  =>  (AT  affirms  A)  at  I 

E;^;r;  A',Ai,  A>2[A']  =►  (A"  affirms  A)  at  A  I.H.(3)  on  A,  V ,  £,  and  A 

E;  T;  T;  A',  Ai,  Ai  &  A2[A']  ==>  ( K  affirms  A)  at  A  &A2  Rule  on  previous  line 

Subcase:  The  last  rule  of  V  is  ©A,  and  A  has  the  form: 

D\  V2 

E;T;r;  Ai,  Ai[A']  =>  (AT  affirms  A)  at  I  S;  T;  Au  A2[A']  =►  (K  affirms  A)  at  I  t 

E;  T;  T;  Ai,  Ai  ®  A2[A']  =>  (AT  affirms  A)  at  I 


E;T;r;  A',  Ai,  D^F]  =^>  (A"  affirms  A)  at  A 
E;T;r;  A',  Ai,  A2[A']  =^>  (AT  affirms  A)  at  A 
E;T;r;  A',  Ai,  Di  0  A2[A']  =^>  (A"  affirms  A)  at  A 
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I.H.(3)  on  A,  Vi,  £,  and  T 
I.H.(3)  on  A,  T>2,  £,  and  A 
©A  Rule  on  previous  lines 


Subcase:  The  last  rule  of  T>  is  — oL,  and  T>  has  the  form: 

S;^;r;A!  Pi[I3\  E; £  |=  J2  D  J3  S; g;  T;  A2,  £)2[J3]  =»  (K  affirms  A)  at  / 
S;  T;  Ai,  A2, -Di  — o  -Z?2 [^2]  =>•  (K  affirms  A)  at  / 


oL 


E-^;T-A\A2,D2[I3\  -- 
E;  T;  Ai,  A',  A2,  D\ 


>  ( K  affirms  B)  at  I' 

£>2(12]  =>•  ( K  affirms  B)  at  I' 


I.H.(3)  on  A,  V3,  £,  and  T 
—oL  Rule  on  V 1,  V2, 
and  previous  line 


Subcase: 


V  = 


V 

_  E;T;T,  £>[/"];  A-!  =^>  (K  affirms  A)  at/ 


E;  *;r;  Ax,  !£>[/" 


( K  affirms  A)  at  / 


\L 


E;  \I/;  r,  Z?[/,/J;  A',  A[I\  =$■  ( K  affirms  B )  at  I'  Weakening  on  £ 

E;  \I/;  T,  /}[/"];  A',  Ai  ( K  affirms  B)  at  I'  I.H.(3)  on  A,  V,  previous  line,  and  T 
E;  T;  T;  A',  Ai,  \D[I"]  =>  ( K  affirms  B)  at  I'  \L  Rule  on  previous  line 


Subcase:  The  last  of  rule  of  T>  is  DL,  and  T>  has  the  form: 


Pi 


V2 


v3 


Pi[/3]  E;T|=/2D/3  S;  T;  T;  Ai,D2[I3]  =>  (K  affirms  A)  at  I 


S;  T;  T;  Ai,  /?i  D  D2[I2 


(K  affirms  A)  at  / 


DL 


S;T;T;  A,,A1,D2[h]  =>  {K  affirms  B)  at/' 
S;T;T;  A',  Ai,L»i  D  D2[I2]  =►  {K  affirms  B)  at  I' 


I.H.(3)  on  A,  P3,  £,  and  T 
DL  Rule  on  V 1,  V2, 
and  previous  line 


Subcase: 


Pi 


V2 


V  = 


_  E;  T;  T;  Ai,  [t/x\B[I"]  =►  (K  affirms  A)  at  I  E  |=  t:s 


E;T;r;  A  1,Mx:s.B[I" 


(K  affirms  A)  at  I 


ML 


E;*;r;A',A1,[t/x]B[7/']  = 
E;  T;  T;  A',  Ai,Mx:s.B[I"] 


(K  affirms  B)  at  I' 

■  ( K  affirms  B)atl' 


I.H.(3)  on  A,  V 1,  £,  and  T 
ML  Rule  on  previous  line  and  V2 


Subcase: 


V 

_  E;  T;  T;  Ai,  D[I2]  = =>  ( K  affirms  A)  at  / 
T,;^\T;AuD@I2[h]  =>  (K  affirms  A)  at  I 

E;T;T;  A',  Ai,L>[/2]  =*  (K  affirms  B)  at  I' 

E;T;T;  A',A1,D@I2[I3\  =►  (K  affirms  B)  at  I' 


@L 

I.H.(3)  on  A,  V' ,  £,  and  T 
@L  Rule  on  previous  line 
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Subcase: 


V  = 


S;^;r;A  !,£)[/" 


( K  affirms  A)  at  I 


V2 

E;  ®  |=  I"  D  I 


E;  ;  T;  Ai,  (iL).D[/"]  =►  (K  affirms  A)  at  I 


0  L 


E;  T;  A',  Ai,  D[I"]  =►  (K  affirms  B)  at  I'  I.H.(3)  on  A,  P',  £,  and  T 

S;*M"  D  V  Transitivity  Property  of  J=  on  P2  and  F 

E;  T;  T;  A',  Ai,  ( K)D[I "]  =$■  ( K  affirms  B )  at  I1  ()L  Rule  on  previous  lines 

Subcase: 


V 

_  E;  T,  I2  P  I3;  T;  Ai  =>  (K  affirms  A)  at  I 
E;T;r;  Ai,/2  P/3[J4]  =>  (K  affirms  A)  at  I  ~L 

E;  T,  I2  P  L3;  T;  A',  A[I]  =>  (K  affirms  B )  at  V  Weakening  on  £ 

S;  T,  /2  P  /3;  T;  A',  Ai  =>■  (iv  affirms  L>)  at  I'  I.H.(3)  on  A,  V\  previous  line,  and  J- 
E;  T;  T;  A',  Ai,  /2  P  /3 [I 4]  =>■  (K  affirms  B)  at  I'  PL  Rule  on  previous  line 


This  ends  the  proof  of  part  3. 

□ 

C  Enforcement  of  a  Fragment  of  //-logic  in  (-logic 

C.l  Translation  From  (-logic  to  //-logic 

Theorem  4.  Suppose  E;  T  |=  I'"  P  I"  for  each  I"'  €  I  and  for  each  I"'  €  Then, 

1.  If  H;  0;  A  =>  F  in  (-logic,  then  E;  T;  0[/|;  A[L]  F[/"]  in  //-logic. 

2.  If  H;  0;  A  ==$■  K  affirms  F  in  (-logic,  then  E;  T;  0[/J;  A[/']  =>  ( K  affirms  F)  at  I"  in  //-logic. 

Proof.  By  simultaneous  structural  induction  on  the  first  given  derivation,  H;  0;  A  ==>  A  or 
H;  0;  A  =>■  K  affirms  A. 

Part  1: 

Case: 


V  = 


~;0;A 


A 


init 


Let  P  =  {/'}. 

E;  T  |=  I'  P  I"  Containment  assumption  for  F  and  previous  line 

E;  T;  ©[/];  A[I']  ==>  A[I"\  init  Rule  on  previous  line 
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Case: 


V  = 


V 


©i,R;A,R  =>  A 

i;0i,S;A=>A 


copy 


Let  f=/lu{/}. 

E;  |=  I  D  I" 

E;  ®  |=  D  I"  for  all  G  /'  U  {/} 

S;  tf;  0! [£],  S[i|;  A[J'],  R[/]  =►  A[I»] 

A[I"] 


Containment  assumption  for  I  and  previous  line 
Containment  assumption  for  I'  and  previous  line 
I.H.(l)  on  V ,  containment  assumption  for  /, 

and  previous  line 
copy  Rule  on  previous  line 


Case: 


T>i  V  2 

X>  =  S;0;Ai=g>Ai  S;0;A2=g>A2 
2;  0;  Ai,  A2  A\  (g>  A2 


®R 


Let  I>  =  I[  U 

S;  |=  I"'  D  I"  for  all  G 

S;  1J/;  0[/|;  AifJj]  ==>  Ai[/"]  ‘ 

E;  ®  |=  I"'  D  I"  for  all  G  /] 
E;^;0[/];A2[/1]^A2[/"]  ~ 

S; * ; 0[/];  Aif/l],  A2[/]]  =>  A,  ®  A2[/"] 

Case: 


Containment  assumption  for  I'  and  previous  line 
I.H.(l)  on  T>  1,  containment  assumption  for  /, 

and  previous  line 
Containment  assumption  for  I'  and  first  line 
I.H.(l)  on  T>2 ,  containment  assumption  for  /, 

and  previous  line 
®.R  Rule  on  third  and  fifth  lines 


V  = 


V 

S;  0;  Ai,  Bi,  R2  =»  A 
S;  0;  Ai,  B\  <8)  B2  =>-  A 


®L 


Let  ?  =  I[  U  {/'}. 

E;  'h;  0[/];  Ai[ij],  B\[I'},  =>■  A[I"}  I.H.(l)  on  V  and  containment  assumptions 

for  I  and  I' 

E;  do  0[/J;  A]  [I[],  B\  ®  R2[/']  ==>•  A[I"\  ®L  Rule  on  previous  line 


Case: 
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1 R 


V  = 


S;0;- 


1 


E;  *;©[/];  ■=►![/"] 


1 R  Rule 


Case: 


P  = 


V 


5;0;Ai  =»•  A 
H;0;Ai,l=>  A 


IP 


Let  P  =  I'Ll  {/'}. 

S;  'L  |=  I'"  D  I"  for  all  I'"  G  /] 

Case: 


Containment  assumption  for  I'  and  previous  line 
I.H.(l)  on  V ,  containment  assumption  for  /, 

and  previous  line 
1L  Rule  on  previous  line 


p  _  H;0;A==»Ai  E;0;A=»A.2 

j  0;  A  =>■  A\  &  A2 


&P 


S;^;©[/1;A[R]^A2[/"] 

S;\I>;0[/];A[/']  =>A1&A2[7/,j 


I.H.(l)  on  Pi  and  containment  assumptions  for  /  and  I' 
I.H.(l)  on  T>2  and  containment  assumptions  for  I  and  I' 

SzR  Rule  on  previous  lines 


Case: 


P  = 


V 

c;  0;  Ai,  Pi 


A 


E;  0;  Ai,  Pi  &  B2  =>  A 


&Li 


Let  P  =  I[,  I'. 

E;  0[/|;  Ai[I(],  Pi[/']  ==>  A[I "]  I.H.(l)  on  V  and  containment  assumptions 

for  I  and  P 

E;  ’L;  ©[/];  Ai[/{],  Pi  &  P2  [Pr]  ==>  A[I"]  &Pi  Rule  on  previous  line 


Case: 
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_  5;  Q;  Ai,  B-2  =4>  A 

E;  0;  Ai ,  Si  &  S2  ==>■  A 


Let  P  = 

E^-,QlIl,Al[f[},B2[I/}^  Ail"] 

S;  * ;  0[/l;  Si  &  S2[J']  =s-  A[ I" 


I.H.(l)  on  V  and  containment  assumptions 

for  I  and  /' 
&S2  Rule  on  previous  line 


Case: 


£;  0;  A  =>■  T 


£;vR0[/];A[I']=^T[/" 


T R  Rule 


Case: 


=  5;  0;  A  Ai 

H;  0;  A  =>  Ax  0  A2 


E;*;0[J];A[J'] 


A\\I"\  I.H.(l)  on  T>'  and  containment  assumptions  for  I  and  I' 

Aj  0  A2 [I"]  0i?i  Rule  on  previous  line 


Case: 


X>  =  S;0;  A  ==>•  A2 

H;  0;  A  =>  Ax  ©  A2 


S;^;0[/|;A[R] 


A2[I")  I.H.(l)  on  V  and  containment  assumptions  for  I  and  I ' 

Ax  0  A2  [I"]  ©S2  Rule  on  previous  line 


Case: 


T>i  V2 

p  _  5;  0;  Ai,  Si  =>  A  S;  0;  Ai,  S2  =4>  A 
S;  0;  Ai,  Si  0  S2  =>■  A 
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Let  P  = 

A[I"] 

^■eifl-A1[I[],B2[I'}^A[I"] 

Case: 


I.H.(l)  on  D i  and  containment  assumptions 

for  7  and  I' 

I.H.(l)  on  T> 2  and  containment  assumptions 

for  7  and  I' 
®L  Rule  on  previous  lines 


V 

X>  =  Q;  A,  Ai 


Ao 


S;0;A 


Ai  —o  Ao. 


oR 


S;  'L  |=  I"'  D  I"  for  all  I'"  G  7 

S,z": interval;  ®,7"  D  z"  (=  D  7"  for  all  G  7 

E,  z": interval;  7"  D  *"  |=  7"  D  *" 

E,  z'hinterval;  T,  I"  D  i"  j=  I'"  D  i"  for  all  I'"  G  7 

E;  |=  I'"  D  I"  for  all  7"'  G  7' 

E,  z": interval;  7"  D  z"  |=  I'"  D  7"  for  all  I'"  G  7' 

E,  z": interval;  7"  D  z"  |=  7'"  D  z"  for  all  I'"  G  7' 


E,  z/;: interval;  7"  D  z"  |=  i"  D  z" 

E,  z/;: interval;  7"  D  z"  |=  7'"  D  z"  for  all  I'"  G/'U  {z"} 
E,  z":interval;  T,  I"  D  i";  0[/J;  A[7r],  Ai[z"]  =>  ^[z"] 


Containment  assumption  for  7 
Weakening  Property  of  |=  on  previous 

line 

Hypothesis  Property  of  |= 
Transitivity  Property  of  |=  on  second 

and  third  lines 
Containment  assumption  for  7' 
Weakening  Property  of  |=  on  previous 

line 

Transitivity  Property  of  |=  on  sixth 
and  third  lines 
Reflexivity  Property  of  J= 
Seventh  and  eighth  lines 
I.H.(l)  on  V,  fourth  line, 
and  ninth  line 
— oR  Rule  on  previous  line 


Case: 


T>i  V  2 

X>  =  E;0;Ai=4>7?i  S;  0;  A2,  Bo  =»  A 
E;  0;  Ai,  A2,  i?i  — °  B2  = =>  A 


Let  F  =  I[  U  7'  U  {7'}. 

E;  T  |=  I"'  D  I"  for  all  I'"  G  I[ 

Containment  assumption  for  I' 

and  previous  line 

E  ;^;0[7l;A1[7']^JB1[7"] 

I.H.(l)  on  T>\,  containment  assumption  for  7, 

and  previous  line 

E;  T  )=  I"'  D  I"  for  all  I"'  G  V2 

Containment  assumption  for  7 '  and  first  line 
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E;  <F  )=  I"  D  I" 

E;  *  (=  7'"  D  7"  for  all  7'"  G  U  {/"} 
E;®;0[il;A2[7]])S2[/"]=}-A[/w] 

E;®;0[^;A1[7l],A2[/]]JS1  -o52[/']  = 


Reflexivity  Property  of  |= 
Fourth  and  fifth  lines 
I.H.(l)  on  T> 2,  containment  assumption  for  7, 

and  previous  line 
A[I"}  —oL  Rule  on  third,  fifth,  and  seventh  lines 


Case: 


V  = 


S;©;- 


V 


Ai 


S;©;  - 


\R 


S;  ©[/Ig 


I.H.(l)  on  2T  and  containment  assumption  for  7 

\R  Rule  on  previous  line 


Case: 


V  = 


V 


H;  0,  B;  Ai  =>  A 
S;  0;  A1;  \B  ==>  A 


\L 


Let  P  =  I[  U  {/'}. 

E;  ®  h=  I'  2  7" 

S;  ®  |=  I"'  D  I"  for  all  7'"  G  7  U  {/'} 
E;  T  |=  I'"  D  I"  for  all  I'"  G  I[ 

A[I"] 

S;  0[7];  A![7(],  !R[7']  =>  A[I"] 


Containment  assumption  for  I'  and  previous  line 
Containment  assumption  for  7  and  previous  line 
Containment  assumption  for  I'  and  first  line 
I.H.(l)  on  D',  third  line,  and  previous  line 
\L  Rule  on  previous  line 


Case: 


V 


V 

=  H;0,Ai;A 


Ao 


S;0;A 


A  i  D  A2 


dR 


E;  ’F  h  7"'  2  I"  for  all  7'"  G  7 
E,  ^interval;  ®,7"  D  i"  |=  7'"  D  7"  for  all  I'"  G  7 

E,  interval;  'F,  7"  D  *"  |=  7"  D  z" 

E,  z":interval;  T,  I”  D  i"  |=  I'"  D  i"  for  all  I'"  G  7 

E,  z":interval;  T,  I"  D  i"  j=  i"  D  i" 

E,  z":interval;  T,  I"  D  z"  |=  I'"  D  z"  for  all  I'"  G  7  U  {z"} 


Containment  assumption  for  7 
Weakening  Property  of  |=  on  previous 

line 

Hypothesis  Property  of  |= 
Transitivity  Property  of  |=  on  second 

and  third  lines 
Reflexivity  Property  of  |= 
Fourth  and  fifth  lines 
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S;  'L  |=  D  I"  for  all  I'"  G  I'  Containment  assumption  for  I' 

E,  i": interval; T,  I"  D  i"  |=  I"'  D  I"  for  all  I'"  G  I'  Weakening  Property  of  |=  on  previous 

line 

E,  i":interval;  T,  I "  D  i"  |=  I'"  D  i"  for  all  I'"  G  I'  Transitivity  Property  of  |=  on  eighth 

and  third  lines 

E,  i":interval;  T,  I”  D  ©[/],  Ail*"];  A[7']  A2[iw]  I.H.(l)  on  V',  sixth  line,  and  third 

line 

E;  T;  ©[/];  A[7']  =>  Ai  D  A2[7"]  1)7?  Rule  on  previous  line 

Case: 


'D  i  T>2 

2)  =  S;  0;  •  =>  B\  E;  6;  Ai,  7?2  =G>  A 
E;  0;  Ai,  B\  D  7?2  =>  A 


DL 


Let  /'  =  /;  U  {/'}. 

S;  0[l|;  ■  =>■  B\[I"] 

E;  T  |=  I'"  D  I"  for  all  I"'  G  I[ 

E;  T  f=  I"  D  I" 

E;  T  |=  7'"  D  I"  for  all  G  /]  U  {/"} 
E;®;0[7l;A1[7{],S2[/"]=}-A[7w] 

E;  T;  0[7];  A^l],  S,  D  B2[7']  =*►  A [7" 


I.H.(l)  on  T> i  and  containment  assumption  for  7 
Containment  assumption  for  I'  and  first  line 
Reflexivity  Property  of  |= 
Third  and  fourth  lines 
I.H.(l)  on  T>2,  containment  assumption  for  7, 

and  previous  line 
Rule  on  second,  fourth,  and  sixth  lines 


Case: 


V 


V 

_  E,x:s;0;  A 


A 


l 


5;  0;  A 


Vx:s.A 


VR 


l 


E,  x:s;  T  |=  I"'  D  I"  for  all  I'"  G  7 
E,  x:s;  ^  |=  I'"  D  I"  for  all  I"'  G  /' 


E,  a;:s;  ©[7);  A[7']  =►  ^,[7"] 

S;^;0[/];A[/']  ^Vx:s.Ai[7"] 


Weakening  Property  of  |=  on  containment 

assumption  for  7 
Weakening  Property  of  |=  on  containment 

assumption  for  I' 
I.H.(l)  on  T>'  and  previous  lines 
V7?  Rule  on  previous  line 


Case: 


T>\  V  2 

P  _  E;  0;  Ai,  [t/x\B  ==>  A  Eh  t:s 
E;  0;  A\,\/x:s.B  =^>  A 


VL 
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Let  P  = 

E;  \E';  0[/];  Ai[ij],  [t/x]B[I']  = =$■  A[I "}  I.H.(l)  on  V\  and  containment  assumption 

for  I  and  I' 

E;  ’L;  @[/|;  \/x:s.B[I']  = =>■  A[I"\  VL  Rule  on  previous  line  and  V 2 

Case: 


V 

P  _  S;  0;  A  =>  K  affirms  A\ 
~  H;  0;  A  =>-  (K)A\ 


OR 


E;  0[/J;  A[I']  =►  (K  affirms  A{)  at  I" 
S;^;0[/];A[/']^(iL)Ai[/"] 


I.H.(2)  on  V'  and  containment  assumptions 

for  I  and  /' 
()R  Rule  on  previous  line 


Part  2: 
Case: 


V 

p  _  E;  0i,  B;  A,  B  =>  K  affirms  A 
H;  0i,  B]  A  =>■  K  affirms  A 


copy 


Let  T=I1U{I}. 

E;  d*  | =  I  D  I"  Containment  assumption  for  I  and  previous  line 

E;  1L  |=  I"’  D  I"  for  all  I'"  G  I'  U  {/}  Containment  assumption  for  I'  and  previous  line 

E;  H/;  0i[/i],  £>[/];  A[/'],  B[I]  =$■  (K  affirms  A)  at  I"  I.H.(l)  on  V ,  containment 

assumption  for  /,  and  previous  line 
E;  1L;  0i  pi],  L>p];  A[/']  =^>  ( K  affirms  A)  at  I "  copy  Rule  on  previous  line 

Case: 

V 

p_  E;  0;  Ai,  B\,  B2  ==>  K  affirms  A 
5;  0;  Ai,  B\  <g>  B2  K  affirms  A 

Let  P  =  I[  U  {/'}. 

E;  dr;  0[/|;  Ai[I(],  B\\I'\,  B2[I']  =>•  ( K  affirms  A)  at  I "  I.H.(l)  on  D'  and  containment 

assumptions  for  I  and  I' 

E;  'P ;  0[/];  Ai[/{],  B\  ®  Bill']  =$■  ( K  affirms  A)  at  I"  <g>L  Rule  on  previous  line 
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Case: 


V  = 


V 

S;  0;  Ai  =>•  K  affirms  A 
H;  0;  Ai,  1  ==>  K  affirms  A 


1 L 


Let  P  =  f[  U  {/'}. 

S;  \I/  |=  I'"  D  I"  for  all  I'"  £  I[  Containment  assumption  for  I'  and  previous  line 

£;  0[/J;  Ai[I(]  ==>  (K  affirms  A)  at  I"  I.H.(l)  on  V,  containment  assumption  for  I, 

and  previous  line 

S;  ^ ;  0[/];  Ai[/{],  1  [I1]  =>■  ( K  affirms  A)  at  I"  1 L  Rule  on  previous  line 

Case: 


V  = 


Ai,  Bi 


V 


K  affirms  A 


;;  0;  Ai,  B\  &  B-2  ==>  K  affirms  A 


&Li 


I.H.(l)  on  T>'  and  containment 
assumptions  for  I  and  I' 
k,L\  Rule  on  previous  line 

Case: 

V 

X>  =  H;  0;  Ai,  B2  =>  K  affirms  A 

H;  0;  Ai,  B\  &  B2  =$■  K  affirms  A  2 

I.H.(l)  on  T>'  and  containment 
assumptions  for  I  and  I' 
SzL2  Rule  on  previous  line 

Case: 


Let  P  =  I[,  I'. 

S;  ’L;  0[/J;  Ai[7(],  B2[I']  =►  (K  affirms  A)  at  I" 
E-^-,eiIJ-A1[I[],B1&zB2[I']  =►  (K  affirms  A)  at  I" 


Let  P  =  /[, 

S;  VH;  ©[/|;  Ai[ij],  B\ [/']  =>  (K  affirms  A)  at  I" 
S;^;0[/|;Ai[7(],Ri&R2[//]  =►  (K  affirms  A)  at  I" 


V\  V  2 

—  H;  0;  Ai,  B\  ==$■  K  affirms  A  H;  0;  Ai,  B2  K  affirms  A 
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Let  A  = 

E;  \P;  0[/J;  B\ [A]  =^>  (AT  affirms  A)  at  I" 

E;'P;@[/J;Ai[j'],R2[A]  =^>  (AT  affirms  A)  at  I" 

®  B2[I'}  =>  (K  affirms  A)  at  I" 

Case: 


I.H.(l)  on  T> i  and  containment 
assumptions  for  I  and  A 
I.H.(l)  on  T>2  and  containment 
assumptions  for  I  and  A 
©A  Rule  on  previous  lines 


T>i  V  2 

p  _  S;  0;  Ai  =>■  B\  S;  0;  A2,  Bo  AT  affirms  A 

E;  0;  Ai,  A2,  B\  — o  _B2  =^>  K  affirms  A 


Let  P  =  I[  U  I'2  U  {/'}. 

E;  |=  A"  D  I"  for  all  I'"  E  Containment  assumption  for  A  and  previous  line 

E;  *P;  0[/|;  Ai[/{]  =$■  B\[I"]  I.H.(l)  on  V\,  containment  assumption  for  /, 

and  previous  line 

E;  ®  h=  D  I"  for  all  I"'  E  /2  Containment  assumption  for  A  and  first  line 

E;  \P  |=  I"  D  I"  Reflexivity  Property  of  [= 

E;  \P  |=  I'"  D  I"  for  all  I'"  E  U  {I"}  Fourth  and  fifth  lines 

E;  ’P;  0[/|;  A2[/2]>  A2 [A7]  =£-  (A'  affirms  A)  at  I"  I.H.(l)  on  P2,  containment  assumption 

for  /,  and  previous  line 

E;1®r;0[/|;Ai[/{],A2[i^],Si  — o  L>2[A]  ==>  ( K  affirms  A)  at  I"  —oL  Rule  on  third,  fifth, 

and  seventh  lines 


Case: 


V 

p  _  E;  0,  B]A\  =^>  AT  affirms  A 
E;  0;  Ai,  \B  ==>  A'  affirms  A 

Let  A  =  f[  U  {A}. 

S;  ®  |=  A  D  I"  Containment  assumption  for  A  and  previous  line 

E;  \P  |=  A"  D  I"  for  all  I'"  E  /  U  {A}  Containment  assumption  for  /  and  previous  line 

E;  'P  |=  A"  D  I"  for  all  I"'  E  Containment  assumption  for  A  and  first  line 

E;  'P;  0[/],  A[A];  Ai  [f[]  (A~  affirms  A)  at  A'  I.H.(l)  on  V ,  third  line,  and  previous  line 

E;  'P;  0[/];  Ai[/{],  !R[A]  =4*  (AT  affirms  A)  at  I"  \L  Rule  on  previous  line 


Case: 
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T>i  V  2 

p  _  S;  0;  •  =G  fR  S;  0;  Ai,  /?2  =>■  A'  affirms  A 

E;  0;  Ai,  B\  D  /?2  =>  A  affirms  A 


DL 


Let  A  =  /'  U  {A}. 

2;tf;0[j]];.  =>£?![/"] 

E;  ®  |=  A"  D  I "  for  all  A"  €  /] 

E;  'L  |=  I"  D  /" 

S;  T  |=  A"  D  /"  for  all  A"  E  /J  U  {/"} 


I.H.(l)  on  Di  and  containment  assumption  for  / 
Containment  assumption  for  A  and  first  line 
Reflexivity  Property  of  |= 
Third  and  fourth  lines 


E;  T;  0[/J;  Ai[/(],  B2[I" ]  =>•  ( K  affirms  A)  at  I"  I.H.(l)  on  T> 2,  containment  assumption 

for  /,  and  previous  line 

E;  T;  0[/J;  Ai[/{],  B\  D  A>2[A]  =>  (A’  affirms  A)  at  I"  DA  Rule  on  second,  fourth, 

and  sixth  lines 


Case: 


£>i 

p  =  S;0;Ai,  [t/x\B  = 


V2 

A' affirms  A  E  h  As 


S;  0;  Ai, \/x:s.B 


K  affirms  A 


VA 


Let  A  = 

E;  T;  0[/];  Ai[7{],  [t/x]B[I’]  =>  (AT  affirms  A)  at  I" 
E;T;0[/|;Ai[/]],Vx:s.R[A]  =^>  (A  affirms  A)  at/" 
Case: 


I.H.(l)  on  T>  1  and  containment 
assumption  for  /  and  A 
VA  Rule  on  previous  line  and  V2 


V  = 


V 


A 


A  affirms  A 


affirms 


E;  T;  0[/];  A  [A]  ==>  A[I"]  I.H.(l)  on  V'  and  containment  assumptions  for  /  and  P 

E;  T;  0[/];  A  [A]  =>  (A  affirms  A)  at  I"  affirms  Rule  on  previous  line 

Case: 


V  = 


V 


E;  0;  Ai,  B  =>  A  affirms  A 
E;  0;  Ai,  ( K)B  =>  A  affirms  A 


<>£ 
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Let  P  =  f[  U  {/'}. 

E; ’L;  0[/];  Ai[/{],  B[I']  =$■  ( K  affirms  A)  at  I"  I.H.(2)  on  D'  and  containment 

assumptions  for  I  and  I' 

E;  ®  )=  T  D  I"  Containment  assumption  for  I'  and  first  line 

E;  ’L;  0[/];  Ai[/[],  ( K)B[I ']  ==>■  ( K  affirms  A)  at  I"  ()L  Rule  on  second  and  third  lines 

□ 


C.2  Translation  From  a  Fragment  of  /7-logic  to  (-logic 
Theorem  5. 

1.  If  S;  0[/|;  A[/']  =*  F[I"],  then  E;  0;  A  =>  F  in  (-logic. 

2.  If  E;  \H;  0[/|;  A[/']  =$■  ( K  affirms  F)  at  I" ,  then  5;  0;  A  =>  K  affirms  F  in  (-logic. 

Proof.  By  simultaneous  structural  induction  on  the  first  given  derivation,  V. 

Part  1: 

Case: 


V 

E;  ®  |=  T  D  I" 

E;vh;0[/1;A[/']^>AH 


init 


•;0;A 


A 


Case: 


init  Rule 


V  = 


V 


E;  0i[g|,  £?[/];  A[T],  B[I\  A[I"] 
E  ;*;©![/(], R[/];A[/']=^A[/"] 


copy 


S;  0i,  B;  A,  B  =>  A  I.H.(l)  on  V 

5;  0i,  B\  A  =>■  A  copy  Rule  on  previous  line 


Case: 


T>i  V  2 

E;vR;0[7l:  A![T(]  =>  Ai[I"j  E;  0[/|;  A2[j]]  =>  A2[I") 
E;  'h;  ©[/];  Ax  [/]],  A2[/]]  =^>  A1  ®  A2[J"] 


<g>R 
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H;  0;  Ai  =>  A\ 

E;  ©;  A2  ==>•  A2 

H;  0;  Ai,  A2  ==>  A\  (g)  A2 


I.H.(l)  on  Pi 
I.H.(l)  on  V2 
®R  Rule  on  previous  lines 


Case: 


V 

E-,*;eiI\;A1[Ii],B1[I'],B2[I']  =*  A[J"] 

- 1: - - - 

=^A[I"} 

I.H.(l)  on  V 
®L  Rule  on  previous  line 


H;  0;  Ai,B\,B2  =>  A 
H;  0;  Ai,  B\  <8>  B2  =>•  A 


Case: 


V  = 


1  [r 


1 R 


H;0; 


Case: 


1/1  Rule 


V 

S;tt;0[jjl;Ai[jj]=^[J"] 

E;*;0[/l;Ai[4l[/']^A[/"] 


1 L 


H;0;A I.H.(l)  on  V 
E;  0;  Ai,  1  =$■  A  1 L  Rule  on  previous  line 


Case: 


Pi  P  2 

£;*;0[/];  A[P]  =^-  Al[I"]  £;  Cf/];  A[P]  =>  A2\I"} 

S;^;0[/1;A[P]^Ai&A2[/"] 


H;0;A^Ai 
S;  0;  A  =>  A2 
s;  0;  A  ==>  A\  &  A2 


I.H.(l)  on  Pi 
I.H.(l)  on  P2 
SzR  Rule  on  previous  lines 
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Case: 


V 

S;  £?![/']  =^[J"] 

S;  * ;  e[f\;A1[I[],B1  &  B2[I']  =*►  A[I"] 


H;  0;  Ai,  Si  =>  A 
H;  0;  Ai,  Si  &;  B2  ==>  A 


Case: 


V  = 


E; 


V 


A  [I" 


S;^;0[/];A1[/(],S1&S2[/']  ^  A[/" 


&L9 


H;  0;  Ai,  B2  =$■  A 
“;0;Ai,S1&S2  =►  A 


Case: 


P  = 


E;tf; 


;A[/']=>T[/"] 


TS 


•;0;A 


1 


Case: 


V  = 


V 

©[7|;  A[/']  =>  A\[I"] 


X;*; 


A[/']  =>  A\  0  A2[I"] 


®Ri 


S;  0;  A  =>  Ai 
H;  0;  A  =>  Ai  ®  A2 


Case: 


V 

S;vfr;0[/];A[J']=»A2[/"] 
S;^;0[/l;A[f']  =^A^®A2[I"] 
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©S2 


I.H.(l)  on  P' 
<kL\  Rule  on  previous  line 


I.H.(l)  on  V 
$zL2  Rule  on  previous  line 


T R  Rule 


I.H.(l)  on  V 
©i?i  Rule  on  previous  line 


a2 

A1  ©  A2 


I.H.(l)  on  V 
®R2  Rule  on  previous  line 


S;0;A 

H;0;A 


Case: 


'D  i  V2 

S;^;0[/|;A1[J1],B1[^]  =>  A[I")  S;  fr;  0[/];  A,  [f[],  B2[I']  =>  A[I") 

S;  ;  0[/l;  A  1[f[],B1  ©  P2[P]  =^>  A[I"] 


®L 


S;  0;  Ai,  B\  =>  A 
H;  0;  A\,B2  =>  A 
H;  0;  Ai,  i?i  ©  B2  ==>  A 


I.H.(l)  on  Pi 
I.H.(l)  on  P2 
©L  Rule  on  previous  lines 


Case: 


V 


V  = 


£,i":interval;T,/"  D  z";  0[/];  A[P],  Ai[z"] 


A 


2  * 


S; 


;A[R] 


Ai 


■A2[i" 


si? 


H;  0;  A,  A\  =>  A2 
S;  0;  A  =>  A\  —o  A2 


I.H.(l)  on  V 
•R  Rule  on  previous  line 


Case:  The  last  rule  of  T>  is  — oL ,  and  V  has  the  form: 


Pi 

£;T;0[/1;A1[/'] 


p2  j>z 

I'"  S;T;0[/|;A2[/'],P2[/" 


A[In 


S;T; 


A  1[I[\,A.2[r2],B1^>B2[I']^A[I»] 


H;0;A  l=^Bl 

H;  0;  A2,  B2  =>-  A 

H;  0;  Ai,  A2,  B\  —o  B2  =>  A 


I.H.(l)  on  Px 
I.H.(l)  on  P3 
L  Rule  on  previous  lines 


Case: 


V 

S;^;0[i|;-=»A1[iw]  ^ 


E;  0;  •  =>•  Ai 
S;0;-^!A! 


88 


I.H.(l)  on  V 
\R  Rule  on  previous  line 


Case: 


V 

^  A[I"]  ]l 

E ■^@IIIA1[I~{},\B[I']^A[I"]  ' 

I.H.(l)  on  V 
\L  Rule  on  previous  line 


S-,Q,B-,A1=^A 
E;  0;  A1;  IB  =>  A 


Case: 


V 


V  = 


E,i":  interval;^,/"  D  i"\  0[J],  AlJ*"];  A[/']  =>■  ^[i"] 

^■@lil,A[r]^A1DA2[r1} 


dR 


E;  0,  Ai;  A  =>  A2  I.H.(l)  on  D' 

S;  0;  A  =^>  A\  D  A 2  DR  Rule  on  previous  line 


Case: 


V  = 


Vx 


V2 

E;  |=  /'  D  J" 


Vs 

E  ;®;e[^;A1[7{],S2[/w]=>A[/w 


E;'P: 


;A1[7{],S1DS2[/']=>A[/"] 


dl 


H;  0;  Ai,  R2  =>  A 
H;  0;  Ai,  Ri  D  R2  =>  A 


I.H.(l)  on  Vi 
I.H.(l)  on  V3 
DL  Rule  on  previous  lines 


Case: 


V  = 


v 

S;^;0[/];A[/']  ^Mx-.s.A^I"} 


MR 


S,  x:s;  0;  A  ==>  A\ 
S;  0;  A  ==$■  Mx:s.A\ 


I.H.(l)  on  V 
MR  Rule  on  previous  line 


Case: 
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I.H.(l)  on  Vi 
V 2  with  s  that  is  not  interval 
VL  Rule  on  previous  lines 


V  = 


V2 

Ai  [I"]  Shi: 


E;®;0[7l;A1[7'],V*:S.S[/']=>A[/w] 


E;  0;  Ai,  [t/x]B  ==$■  A 
S  h 

E;  0;  Ai,  \/x:s.B  = =>■  A 


Case: 


V  = 


V 

S;^;0[/];A[/']  =►  (K  affirms  A\)  at  I" 


OR 


E;  0;  A  =>  K  affirms  A\  I.H.(2)  on  V 

E;  0;  A  =^-  (. K)A\  ()R  Rule  on  previous  line 


Part  2: 
Case: 


V 

E;^;0i[/lj,R[/];A[/'],R[/]  =>  (K  affirms  A)  at  I" 
S;^;0i[/J,R[/];A[/']  =>  (K  affirms  A)  at  I" 


copy 


E;  0i,  -B;  A,  B  =>  K  affirms  A  I.H.(2)  on  V 

E;  0i,  B;  A  =>■  K  affirms  A  coPY  Rule  on  previous  line 


Case: 


V 


V  = 


S;^;0[/l;Ai[j]],51[J/],.B2[//]  =>  (K  affirms  A)  at  I’' 


£;  ’h;  0|/l:  Ai  f/IhRi  ®  Boll') 


<g>L 


E;  0;  Ai,  Bu  B2  =>  I<  affirms  A  I.H.(2)  on  V 

E;  0;  Ai,  B\  (g>  B2  =>•  K  affirms  A  ®L  Rule  on  previous  line 


Case: 
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1 L 


V 

E;  Hi;  0[/J;  Ai[/j]  =^>  ( K  affirms  A)  at  I" 

£;T:  0[/|;  Ai[/'],  1[I']  = =>  (K  affirms  A)  at  I" 

S;  0;  Ai  K  affirms  A  I.H.(2)  on  V 

E;  0;  Ai,  1  =$■  K  affirms  A  1 L  Rule  on  previous  line 


Case: 


V 


S;  *;©[/];  A^],  B^I'j  =>  (K  affirms  A)  at  I" 

- — - — -  czL i 

Z;y-,@lIl,A1[ri],B1&B2[I']  =►  (K  affirms  A)  at  I" 


S;  0;  Ai,  B\  =>■  K  affirms  A 
E;  0;  Ai,  B\  Sz  P2  ==>•  K  affirms  A 


I.H.(2)  on  V 
<kL\  Rule  on  previous  line 


Case: 


V 

X-,*-,eif\-,A1[I[],B2[I']=>(K  affirms  A)  at/" 

u  — - — - — -  czL 2 

£;T;0[/];Ai[/J],Pi  &_B2[J']  =►  (K  affirms  A)  at  I" 

E;  0;  Ai ,  S2  =>  K  affirms  A  I.H.(2)  on  P' 

E;  0;  Ai,  B\  &  P2  =>  K  affirms  A  &L2  Rule  on  previous  line 

Case:  The  last  rule  of  P  is  ©L,  and  P  has  the  form: 


Pi  P2 

E;  VH;  ©[/];  Ai[I(],  Pi [/']  =*  (K  affirms  A)  at  I"  E;  0[/];  Ai[/]],  P2[/']  =►  (AT  affirms  A)  at  I" 

£;T;0[l|;Ai[/]],Pi  ®  B2[I']  = (A  affirms  A)  at/" 


I.H.(2)  on  Pi 
I.H.(2)  on  P2 
©L  Rule  on  previous  lines 

Case:  The  last  rule  in  P  is  —°L,  and  P  has  the  following  form: 


E;  0;  Ai,  B\  =>■  K  affirms  A 
E;  0;  Ai,  P2  ==>•  K  affirms  A 
E;  0;  Ai,  B\  ®  Z>2  ==>•  K  affirms  A 
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V1 

g^ei^AiK]  =>•  Bxll" 


v2 

E;  T  |=  /'  D 


Pa 


E;T;0f/];A2[jl],P2[/w]  =>  (g  affirms  A)  at  /" 


E;T; 


:  A ALL  AAAI.  B,  -o  RAPI 


S;  0;  Ai  =>-  B\ 

S;  0;  A2,  B2  =>  K  affirms  A 

E;  0;  Ai,  A2,  B\  — o  B2  =>  K  affirms  A 


I.H.(2)  on  Pi 
I.H.(2)  on  P3 
L  Rule  on  previous  lines 


Case: 


V  = 


V 

S;^;0[/],R[//];Ai[7(]  =^>  (AT  affirms  A)  at  I" 
S;  ;  0[/];  Ai[/(],  \B[I']  = =>  (K  affirms  A)  at  J" 


\L 


0,  B ;  Ai  ==>■  K  affirms  A 
i;  0;  Ai,  \B  AT  affirms  A 


I.H.(2)  on  V 
\L  Rule  on  previous  line 


Case:  The  last  rule  in  T>  is  I)L  and  T>  has  the  form: 


Pi 


V2 

S;  ®  |=  /'  D  /" 


P3 


E;®;0[^;A1[/'],S2[/w 


(AT  affirms  A)  at  /" 


E;T;0[I];Ai[/{],Ri  d52[/']  =►  (A' affirms  A)  at/" 


E;  0;  •  =>  Ai 

S;  0;  Ai,  P2  =>  K  affirms  A 
E;  0;  Ai,  B\  D  P2  =>  K  affirms  A 


I.H.(2)  on  Px 
I.H.(2)  on  P3 
I)A  Rule  on  previous  lines 


Case: 


P  =  ■ 


Pi 

E;  T;  0[/];  A, [/{],  [t/x]B[I’}  =>  Ai[I" 


P2 

E  h  As 


E;  T;  0[/|;  Ai[/{],Vx:s. /?[/']  =>  (A"  affirms  A)  at  /" 


VL 


E  h  t:s 

E;  0;  Ai,  [t/x]B  ==>  K  affirms  A 
E;  0;  Ai,  \/x:s.B  AT  affirms  A 


P2  with  s  that  is  not  interval 
I.H.(2)  on  Pi 
VL  Rule  on  previous  lines 


92 


[I]  [I]  "  [I]  [I] 

®  ®  ®  ® 


Case: 


V2 

E;  ®  |=  /'  ®  I" 


)[/];Ai  [/'],£[/']  =^>  (A"  affirms  A)  at/"  E;  ®  |=  j 
E;  ©[/J;  Ai  [/]],( A)  A[A]  =►  (A  affirms  A)  at/" 


;  Ai,  B  = =>  A  affirms  A 
;  Ai,  ( K)B  =^>  A"  affirms  A 

□ 


I.H.(2)  on  Pi 
()A  Rule  on  previous  line 


93 


